Creating Keys

To create a new symmetric AES 256 key EKM_AES_256 and store it in the SecurityServer EKM- provider, use the following statement:

CREATE SYMMETRIC KEY EKM_AES_256
FROM PROVIDER utimaco WITH ALGORITHM = AES_256,
PROVIDER_KEY_NAME = 'EKM_AES_256', CREATION_DISPOSITION=CREATE_NEW
GO

Note that the key name EKM_AES_256 appears twice here: first as a key name for the SQL Server, and second as the SecurityServer key name. However, it is not necessary that both names are identical. In fact, in SQL Server commands, a key is referred to by its SQL Server name. The CREATE … KEY statement creates a binding to the SecurityServer key, which can be different, using a common identifier.

Key Mapping

The SQL Server key can also be created from an existing SecurityServer EKM provider key:

cxitool Dev=<port@IP> LogonPass=<user>,<password> Group=““ Name=<key_name> |
Spec=0 Usage=… GenerateKey=<key_type>,<key_size>

For Example, create an AES 256 key with the name AEKM_AES_256 in the external keystore.

cxitool Dev=<port@IP> LogonPass=<user>,<password> keystoretype=SDB |
keystoreparam="C:\ProgramData\Utimaco\EKM\cssqlekm.sdb" group="" |
Name= EKM_AES_256 Usage=ENCRYPT,DECRYPT,SIGN,VERIFY spec=0 generatekey=AES,256

CREATE SYMMETRIC KEY AEKM_AES_256
FROM PROVIDER utimaco
WITH PROVIDER_KEY_NAME = 'OtherAesKey', CREATION_DISPOSITION=OPEN_EXISTING
GO

Here, a lookup for the given provider's key name is performed. For the SecurityServer EKM provider, the CXI_GROUP is also considered if one is specified in the credential’s identity. This statement creates the aforementioned binding.

To create asymmetric keys, proceed in the same manner. Here is the statement to create an asymmetric RSA 2048 key:

CREATE ASYMMETRIC KEY EKM_RSA_2048
FROM PROVIDER utimaco
WITH ALGORITHM = RSA_2048, PROVIDER_KEY_NAME = 'EKM_RSA_2048',
CREATION_DISPOSITION=CREATE_NEW
GO