Microsoft SQL Server provides different types of encryption to help protect data. The data encrypted in the traditional key hierarchy is done using a symmetric data encryption key (DEK). In this model, the symmetric data encryption key is additionally protected by encrypting it with a hierarchy of keys stored in the SQL Server.
An alternative to this model is to use the Extensible Key Management (EKM) provider. The Microsoft SQL Server EKM Provider enables external (third-party) EKM/HSM vendors to integrate their modules into the Microsoft SQL Server. After integration, SQL Server users can use the encryption keys stored on EKM modules. This model adds an additional layer of security and separates the management of keys and data.