By default, new EKM keys are generated without CXI group. The CryptoServer user does not need to have a CXI_GROUP attribute, but every cryptographic user on the CryptoServer can access the keys in the SQLEKM key store file. To provide better protection, a CXI group should be defined in the SQL Server credential’s identity:
SQL Statement
|
Now, new SQLEKM keys are created in the CXI group ekmgroup and only CryptoServer users belonging to this group can access these keys. Therefore, the CryptoServer user sqlekm needs to be member of the CXI group ekmgroup by setting its CXI_GROUP attribute to ekmgroup on user creation.
Since key names (more specifically the PROVIDER_KEY_NAME) have to be unique per CXI group only, the use of different CXI groups for different credentials also prevents name collisions when SQLEKM is used with different databases from the same SQL Server.