Defend your database
The nShield Database Security Option Pack allows nShield hardware security modules (HSMs) to seamlessly integrate with Microsoft SQL Server. Encrypting the data in your database protects the data, but the encryption keys that unlock the data must also be protected. The use of HSMs safeguards encryption keys by storing them separately from the data on a secure, trusted platform.
Database Security Option Pack Benefits
Hardware Key Protection
Store database encryption keys in a secure, tamper-resistant environment to prevent copying or tampering.
User and Role Enforcement
Get stronger control for accessing encrypted data in Microsoft SQL Server.
Tighter Key Control
Limit access to database encryption keys via smart card authentication for administrators
Flexible Encryption Support
Both Transparent Data Encryption (TDE) and cell level encryption are supported.
The SQLEKM provider has been tested to support the Enterprise Editions of:
- Microsoft SQL Server 2019
- Microsoft SQL Server 2017
These are supported on the following platforms:
- Windows Server 2019 R2 Standard (64-bit configuration)
- Windows Server 2016 (64-bit configuration)
Supported Security World Software and nShield HSMs
The Database Security Option Pack for SQL Server is fully compatible with V12.40.2 or higher of the Security World Software and the following range of nShield HSMs:
- nShield Solo 500+, 6000+ and Solo XC Base/Mid/High
- nShield Connect 500+, 1500+, 6000+ and Connect XC Base/Mid/High.
Supported types of Database encryption
From a security perspective, the Microsoft SQL Server supports the use of cryptographic keys to protect its databases. These encryption keys can be used to perform two levels of encryption.
- Transparent Data Encryption (TDE) is used to encrypt an entire database in a way that does not require changes to existing queries and applications. A database encrypted with TDE is automatically decrypted when SQL Server loads it into memory from disk storage, which means that a client can query the database within the server environment without having to perform any decryption operations. The database is encrypted again when saved to disk storage. When using TDE, data is not protected by encryption while in memory. Only one encryption key at a time per database can be used for TDE.
- To use Cell-Level Encryption (CLE), you must specify the data to be encrypted and the key(s) with which to encrypt it. CLE uses one or more keys to encrypt individual cells or columns. It gives the ability to apply fine-grained access policies to the most sensitive data in a database. Only the specified data is encrypted: other data remains unencrypted. This mode of encryption can minimize data exposure within the database server and client applications. You can apply CLE to database tables that are also encrypted using TDE. Note that when using CLE, data is only decrypted in memory when required for use. Separate data can be encrypted using different encryption keys within the same data table.
Supported deployment configurations:
- Stand-alone service
- Database failover clusters using either nShield Solo or nShield Connect
What our customers are saying...
We have a long history together and we’re extremely comfortable continuing to rely on Entrust solutions for the core of our business. We have used Entrust HSMs for five years and they have always been exceptionally reliable. We’ve layered a lot of code on top of the HSM; it delivers the performance we need and has proven to be a rock-solid foundation.
As a global payment solutions and commerce enablement leader, Verifone’s strategy is to develop and deploy “best in class” payment solutions and services that meet or exceed global security standards and help our clients securely accept electronic payments across all channels of commerce. We selected Entrust HSMs to provide robust security, unmatched performance, and superior scalability across our payment security platforms…
The Entrust nShield sales team provided excellent local and remote support during this evaluation period and was invaluable to the process. The excellent depth, breadth, and quality of the product documentation gave us confidence that the solution was well though-out and supported.
Entrust provided the expertise needed to design and implement a tailored, secure VoIP solution.