PrivateServer HSM EKM Provider for Microsoft SQL Server January 2014 Document Version 1.1
Notice The information provided in this document is the sole property of Algorithmic Research Ltd. No part of this document may be reproduced, stored or transmitted in any form or any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission from Algorithmic Research Ltd. Copyright 2014 by Algorithmic Research Ltd. All rights reserved.
Table of Contents Introduction... 4 Requirements... 4 PrivateServer Installation and Configuration... 5 PrivateServer Installation... 5 PrivateServer Configuration... 6 Signing Engine Configuration... 8 Using Microsoft SQL EKM Provider... 11 Registering the EKM Provider... 11 Generating Symmetric and Asymmetric Keys... 13 Encrypting and Decrypting Data with a Symmetric Key... 14 Encrypting and Decrypting Data with Asymmetric Key... 15
Introduction Microsoft SQL Server 2008/2012 provides data encryption capabilities together with Extensible Key Management (EKM), using HSM devices. ARX PrivateServer TM HSM offers an EKM plug-in that provides cryptographic capabilities such as bulk encryption, decryption, and key management functions. By adding EKM to PrivateServer's growing list of supported API's, PrivateServer HSM can now serve as an external cryptographic provider, alleviating SQL's operations and significantly enhancing operational security. Via this feature, any organization that uses Microsoft SQL Server 2008/2012 as its database engine can use PrivateServer HSM to secure sensitive information in its database. A significant advantage of this new feature is that it does not require any further development or integration by the application developer or database administrator. This step-by-step guide will help you set up PrivateServer as a cryptographic engine for Microsoft SQL server 2008/2012. It provides code samples and detailed information about the different features of the PrivateServer EKM provider. The PrivateServer EKM provider supports the following features and algorithms: Authentication type: Username/Password Symmetric Algorithms: AES_128, AES_192, AES_256, DES, TRIPLE_DES, TRIPLE_DES_3KEY Asymmetric Algorithms: RSA_1024, RSA_2048 Key name support: Yes ARX PrivateServer is highly secure (FIPS 140-2 Level 3), high capacity, network attached, HSM that provides a secure environment for data encryption and key management. PrivateServer conducts sensitive cryptographic operations, secure key storage, and management of a large number of keys. Requirements Two servers are required to set up your system: ARX PrivateServer v4.7 or higher Windows server 2008 R2 and higher with Microsoft SQL server 2008/2012 (Enterprise, Developer, or Evaluation)
PrivateServer Installation and Configuration The process of installing PrivateServer HSM and its client is described in full detail in the PrivateServer Installation and Operation Guide. Please refer to the manual for detailed description of each of the installation steps. PrivateServer Installation To set up your PrivateServer follow the steps below: 1. Install the PrivateServer client on the Windows 2008 server, by running the client setup. 2. Make sure that the following features are installed: a. Legacy client b. PrivateSafe USB driver c. Signing Engine 3. Connect the USB smart card reader to the Windows 2008 server. 4. Run the PrivateServer management application from All Programs -> ARX -> PrivateServer Client -> PrivateServer Management. 5. Select Client -> Generate Cards and generate a set of smart cards (Root, init and Startup). For more information refer to Chapter 4: Preparing Smartcards in the PrivateServer Installation and Operation Guide. It is recommended to create backup for the Init and Startup smart cards. 6. Select Client -> Generate Users menu option and generate smart card for the administrative user first. For more details refer to Chapter 4: Preparing Smartcards in the PrivateServer Installation and Operation Guide.
7. Initialize the PrivateServer with the newly generated set of smart cards (Init and Startup). For more information refer to Chapter 5: Operating the System in the PrivateServer Installation and Operation Guide. 8. Set the PrivateServer IP address. For more information refer to Chapter 6: Configuring the System in the PrivateServer Installation and Operation Guide. PrivateServer Configuration Perform the following steps to create the EKM user in PrivateServer database: 1. Add your PrivateServer IP address to the servers list, from Client -> Add PrivateServer menu. 2. Select Server -> Connect to connect to the PrivateServer with administrative user.
3. Select View -> Users to switch to the users view. Select User -> Create to create a user for the EKM provider, which will be the user of the sensitive keys. 4. Enter the EKM user data. Usually, such user does not need any special authorizations, so you can leave all authorization mask clear. However, since this is a critical user in the system, set the Minimum Access Level to Non-secure LAN, authenticated and encrypted session. This setting will require strong user authentication with key media (software or smart card). 5. Click OK to create the EKM user. 6. Select Client -> Generate Users and generate software token key media for the EKM user. For more details refer to Chapter 4: Preparing Smartcards in the PrivateServer Installation and Operation Guide. 7. Test the key media by establishing an authenticated connection with the PrivateServer.
Signing Engine Configuration The signing engine is a client side component that provides support for Microsoft CAPI, CAPI New Generation (CNG) and PKCS#11 APIs. These APIs are used by the EKM provider to access the PrivateServer HSM and perform the required cryptographic operations. To configure the signing engine on the SQL server: 1. Select Client -> Settings menu and click on Signing Engine tab.
2. Click New button to add a new slot. a. In the Signing Engine group box choose Server Based and choose the IP of your PrivateServer from the combo box. b. In the Authentication Type group box choose File Media and enter the path to the software key media of the EKM user. c. In the User and Password Details group box enter the EKM user name. d. Check Use Unattended Password and enter a dummy password. During runtime, the password to the software token is supplied by the SQL server from the user credentials. 3. Click Apply button to save your settings.
4. Click Test button to check your configuration setting. If the test fails check your configuration or restart the machine. 5. Press OK.
Using Microsoft SQL EKM Provider To install and configure the EKM provider on your Microsoft SQL Server, run the SQL Management Studio and enter the different queries. Registering the EKM Provider To register the EKM provider enter the following commands: Use the sp_configure command to enable the Extensible Key Management feature: Run query to register the provider name and set the full path to the EKM provider dll. In the example below, AR_EKM_Prov is the name of the provider and C:\Program Files\ARX\PrivateServer Client\EKM\win64\arekm.dll is the path is to the arekm.dll.
Run query to create login credentials that maps the PrivateServer user to the SQL server user. In the example below, AR_EKM_Prov is the name of the EKM provider created in previous step, AR_EKM_cred is the name of the credential; EKMuser is the name of the PrivateServer user that was defined in the Signing Engine configuration. TestDomain\administrator is the domain name\username of the SQL server user. SECRET is the media password if you use media authentication.
Generating Symmetric and Asymmetric Keys Run query to generate a symmetric key inside PrivateServer, to be used by the EKM provider. In the example below, master is the name of the database; SQL_EKM_3DES is the name of the key in SQL database, AR_EKM_Prov is the name of the EKM provider we defined in previous step. TRIPLE_DES_3KEY is the algorithm of the generated key, 3des_test_key is the name of the key in PrivateServer database. Supported symmetric key types are: AES_128 AES_192 AES_256 DES TRIPLE_DES TRIPLE_DES_3KEY To create an asymmetric key, use the following example: Supported asymmetric key types are: RSA_1024 RSA_2028
Encrypting and Decrypting Data with a Symmetric Key Run the following query to encrypt credit_card column in the user_credit_cards table with SQL_EKM_3DES symmetric key. Run the following query to decrypt credit_card column in the user_credit_cards table with SQL_EKM_3DES symmetric key.
Encrypting and Decrypting Data with Asymmetric Key Run the following query to encrypt credit_card column in the user_credit_cards table with SQL_EKM_RSA_1024 asymmetric key. Run the following query to decrypt credit_card column in the user_credit_cards table with SQL_EKM_RSA_1024 asymmetric key.