Skip to main content
purple hex pattern
illustration of man next to database shape

Defend your database

The nShield Database Security Option Pack allows nShield hardware security modules (HSMs) to seamlessly integrate with Microsoft SQL Server. Encrypting the data in your database protects the data, but the encryption keys that unlock the data must also be protected. The use of HSMs safeguards encryption keys by storing them separately from the data on a secure, trusted platform.

Beyond Security

Database Security Option Pack Benefits

database icon

Hardware Key Protection

Store database encryption keys in a secure, tamper-resistant environment to prevent copying or tampering.

user with checkmark icon

User and Role Enforcement

Get stronger control for accessing encrypted data in Microsoft SQL Server.


Tighter Key Control

Limit access to database encryption keys via smart card authentication for administrators

support icon

Flexible Encryption Support

Both Transparent Data Encryption (TDE) and cell level encryption are supported.

Tech Specs

The SQLEKM provider has been tested to support the Enterprise Editions of:

  • Microsoft SQL Server 2019
  • Microsoft SQL Server 2017

These are supported on the following platforms:

  • Windows Server 2019 R2 Standard (64-bit configuration)
  • Windows Server 2016 (64-bit configuration)

Supported Security World Software and nShield HSMs

The Database Security Option Pack for SQL Server is fully compatible with V12.40.2 or higher of the Security World Software and all current PCIe and network attached HSMs.

Supported types of Database encryption

From a security perspective, the Microsoft SQL Server supports the use of cryptographic keys to protect its databases. These encryption keys can be used to perform two levels of encryption.

  • Transparent Data Encryption (TDE) is used to encrypt an entire database in a way that does not require changes to existing queries and applications. A database encrypted with TDE is automatically decrypted when SQL Server loads it into memory from disk storage, which means that a client can query the database within the server environment without having to perform any decryption operations. The database is encrypted again when saved to disk storage. When using TDE, data is not protected by encryption while in memory. Only one encryption key at a time per database can be used for TDE.
  • To use Cell-Level Encryption (CLE), you must specify the data to be encrypted and the key(s) with which to encrypt it. CLE uses one or more keys to encrypt individual cells or columns. It gives the ability to apply fine-grained access policies to the most sensitive data in a database. Only the specified data is encrypted: other data remains unencrypted. This mode of encryption can minimize data exposure within the database server and client applications. You can apply CLE to database tables that are also encrypted using TDE. Note that when using CLE, data is only decrypted in memory when required for use. Separate data can be encrypted using different encryption keys within the same data table.

Supported deployment configurations:

  • Stand-alone service
  • Database failover clusters using either nShield Solo or nShield Connect

What our customers are saying...