To create a new symmetric AES 256 key EKM_AES_256 and store it in the SecurityServer EKM- provider, use the following statement:
|
Unknown Attachment SQL Statement |
|
SQL
|
Note that the key name EKM_AES_256 appears twice here: first as key name for the SQL Server and second as the SecurityServer key name. However, it is not necessary that both names are identical. In fact, in SQL Server commands a key is referred to by its SQL Server
name. The CREATE … KEY statement creates a binding to the SecurityServer key, which can
be different, using a common identifier.
Figure 2: Key Mapping
The SQL Server key can also be created from an existing SecurityServer EKM provider key:
|
Unknown Attachment SQL Statement |
|
SQL
|
For AES keys use key_type AES and key_size 256.
For RSA keys use key_type RSA and key_size 2048/3072/4096.
To create key in the external keystore add the keystoretype, keystoreparam parameters
before GenerateKey: …
For Example, create an AES 256 key with the name AEKM_AES_256 in external keystore.
|
Unknown Attachment SQL Statement |
|
SQL
|
|
Unknown Attachment SQL Statement |
|
SQL
|
Here, a lookup for the given provider’s key name is performed. For the SecurityServer EKM provider, the “CXI_GROUP” is also considered if one is specified in the credential’s identity. This statement creates the aforementioned binding.
To create asymmetric keys, proceed in the same manner. Here is the statement to create an asymmetric RSA 2048 key:
|
Unknown Attachment SQL Statement |
|
SQL
|