By default, new EKM keys are generated without a CXI group. The SecurityServer user does not need to have a CXI_GROUP attribute, but every cryptographic user on the SecurityServer can access the keys in the EKM keystore file. To provide better protection, a CXI group should be defined in the SQL Server credential's identity:
CREATE CREDENTIAL csekm WITH IDENTITY = 'sqlekm@ekmgroup', SECRET = 'utimaco'
FOR CRYPTOGRAPHIC PROVIDER utimaco
GO
Now, new EKM keys are created in the CXI group ekmgroup, and only SecurityServer users belonging to this group can access these keys. Therefore, the SecurityServer user sqlekm needs to be a member of the CXI group ekmgroup by setting its CXI_GROUP attribute to ekmgroup on user creation.
Since key names (more specifically, the PROVIDER_KEY_NAME) have to be unique per CXI group only, using different CXI groups for different credentials also prevents name collisions when SQLEKM is used with different databases from the same SQL Server.