SQL Server can create and store keys internally, protected by software only. With Extensible Key Management (EKM), SQL Server can use keys protected by an HSM for data and key encryption/decryption.
The CryptoServer SQLEKM provider offers EKM functionality for Utimaco CryptoServer HSMs, supporting different symmetric and asymmetric algorithms. Keys generated with the CryptoServer SQLEKM provider are stored in an external database (”keystore”) encrypted by the Master Backup Key (MBK). The location of the database is defined in the configuration file.