SQL Server 2008 EKM Interface Implementation

Question

Hi,

   I'm trying to find out how to implement a EKM for our HSM.

  I saw in other topics that one need to send an e-mail to "ilsung@microsoft.com" .

  Unfortunately i don't receive any answer from that e-mail.

  How should i proceed?

Thanks in advance,

Luan

Answer 1

Luan

It is not clear what your requirement is. What is EKM and HSM?

---

Best Regards,Uri Dimant SQL Server MVP,http://sqlblog.com/blogs/uri_dimant/

Blog : MS SQL Development and Optimization

Blog : Large scale of database and cleansing

Answer 2

It is not clear what your requirement is. What is EKM and HSM?

EKM = Extensible Key Management
HSM = Hardware Security Modules

The topic "Understanding Extensible Key Management (EKM)" in Books Online has more information, if you want to learn.

Unfortunately for Luan, I don't have much knowledge about EKM myself. But you work for a company that has a HSM and you want to support SQL Server?

---

Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Answer 3

Exactly.

Unfortunately i don't have responses from Il-sung or someonelse in MS.

Waiting for someone from MS to answer.

Answer 4

I've pinged my contacts at Microsoft. No promises, but I hope that someone will give you an answer of some sort.

---

Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Answer 5

The specifics vary slightly per HSM vendor, but they need to have a EKM provider, and the provider should have a document that details how to set it up.  For example:

http://www.safenet-inc.com/uploadedFiles/About_SafeNet/Resource_Library/Resource_Items/Other_Docs_EDP/Microsoft%20SQLEKM_Provider-User_Guide.pdf

http://www.arx.com/files/DOCUMENTS/PrivateServer-EKM.pdf

Once you install the provider, you enable the use of EKM with sp_configure, and then you create the cryptographic provider from the DLL that was installed.

If you are an HSM vendor and you are looking for how to write the EKM provider, I'd suggest going through your partner network contacts, or opening a product support case.  I would never expect to see those types of details presented publicly on a forum for security reasons.

---

Jonathan Kehayias | Principal Consultant, SQLSkills.com
SQL Server MVP | Microsoft Certified Master: SQL Server 2008
Author of Troubleshooting SQL Server: A Guide for Accidental DBAs
Feel free to contact me through My Blog or Twitter. Become a SQLskills Insider!
Please click the Mark as Answer button if a post solves your problem!

Answer 6

Thanks, i appreciate your help!

I'll wait for some answer.

Answer 7

Johnatan, please see. This is what i'm looking for. How to contact Il-Sung.

http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/thread/f36ba8b7-ceec-4bdd-8c84-8878e11194e3

Answer 8

Johnatan, please see. This is what i'm looking for. How to contact Il-Sung.

http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/thread/f36ba8b7-ceec-4bdd-8c84-8878e11194e3

You have his correct email on that link already and Erland has raised this issue internally with Microsoft through the MVP email distribution list already.  Send me an email through my blog and I'll provide you an alternate email address to contact a different person in Microsoft that was provided to us, but wasn't approved for sharing on a public forum yet.  If it is approved Erland or I will post it back on this thread, but few people internally at Microsoft post their email like Il-Sung did on that previous thread, I know I never would put my email address publicly on the forums like that.

---

Jonathan Kehayias | Principal Consultant, SQLSkills.com
SQL Server MVP | Microsoft Certified Master: SQL Server 2008
Author of Troubleshooting SQL Server: A Guide for Accidental DBAs
Feel free to contact me through My Blog or Twitter. Become a SQLskills Insider!
Please click the Mark as Answer button if a post solves your problem!

Answer 9

In addition to Jonathan's post, I like to add that it helps if you in your communication with Microsoft more clearly specify that why you are interested in this specification. If you work for an HSM vendor, I would execpt Microsoft to be interested, if you seem credible enough. With the somewhat vague information you have posted here, I am not sure whether to make heads or tails from it. Now, I can understand that in a public forum you prefer to be vague, but when you talk with Microsoft you need to be more explicit. So if you mailed Il-Sung Lee saying the same that you did here, I can understand that he did not take your interest as genuine.

---

Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Answer 10

Hey Jonathan,

  I sent you an e-mail on your blog.

Thanks!

Answer 11

Johnatan, please see. This is what i'm looking for. How to contact Il-Sung.

http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/thread/f36ba8b7-ceec-4bdd-8c84-8878e11194e3

You have his correct email on that link already and Erland has raised this issue internally with Microsoft through the MVP email distribution list already.  Send me an email through my blog and I'll provide you an alternate email address to contact a different person in Microsoft that was provided to us, but wasn't approved for sharing on a public forum yet.  If it is approved Erland or I will post it back on this thread, but few people internally at Microsoft post their email like Il-Sung did on that previous thread, I know I never would put my email address publicly on the forums like that.

  Yes, usually Microsoft provide a specific email for these issues. Like they do in similar situations like CSP.

It's a different approach but i'll send the email to the new contact.