Hi Adrian. Probably the best summary of how HSMs work from a high level. I currently perform staging/whitelisting of SQL Servers IP Addresses on nCipher RFS Servers. I understand the process pretty well, but, myself and other Engineers differ on how for instance, an nCipher HSM protects a SQL Server data encryption key (DEK). We are in meetings, and they all act like the SQL DEK is stored on the HSM. And my understanding in brief terms, goes like this: 1) SQL TDE DEK, is the key that encrypts the SQL Database file. 2) I stage the SQL Servers IP Addresses in both an HSM and RFS Config file (that the HSM will later call). 3) In order to integrate SQL Database Servers into nCipher HSM, they must first have the Entrust Security World software installed, and then the SQLEKM.dll I believe, via an Option Pack. 4) Once that's all setup, they will create some accounts, and an account that maps to the the SQLEKM.dll provider that's installed and setup on SQL Database. 5) ( THIS is where I need validation on how I think this truly works ): They will run some SQL queries to setup/create an Asymmetric Key, i.e. a call made to the SQLEKM Provider, which interfaces with the HSM. 6) The HSM Master key creates a KEK (Key Encryption Key) which is processed by the SQLEKM, and the KEK is used via the tdeLogin/tdeCredential while at the same time, being protected by the SQLEKM Provider in the Entrust (nShield or nCipher) HSM, to finally, encrypt the SQL TDE "DEK" or data encryption key, and hence, you have the HSM providing Key Management....Is my explanation somewhat close or am I off a bit? I really want to understand this process and be able to tell the guys at work, and per Entrusts documentation, that the TDEDEK Symmetric key is "created by the SQL Server and CANNOT be exported from the database, meaning it cannot be created or directly protected by the SQLEKM Provider (nShield or nCipher HSM). I'm hoping for a reply from you, and, am also hoping for more in-depth videos on Entrust (or other Vendor) HSMs and the in-depth ways the process truly works. Also interesting is it's use in PKI. That I would like to learn more as well. Thank you for your time!!
This is phenomenal. I had the privilege of reading something similar, and it was absolutely phenomenal. "Mastering AWS: A Software Engineers Guide" by Nathan Vale
Lets say I want to store signing keys for the some tokens in HSM. Fist of all is this a good idea.? Second, if yes then does this not add latency to sign all tokens?
Such a great explanation 👏👏👏 . There is no such series for this. It would be great if you could make one Azure Managed HSM and how to implement it using terraform
Hey Adrian I just wanted to let you know that you have added HSM Pictures in tech fundamentals learning aid in associate solution architect cource GitHub repository . I was a bit confused when I found it while going through the learning aids and instantly came here to know what HSM means
![Blox Fruits Dragon Rework Update [Full Stream]](http://i.ytimg.com/vi/EqDAp8udhm0/mqdefault.jpg)
You're doing an amazing job of making difficult concepts easier to understand for those of us just starting off our cyber careers. Many thanks.
Great to hear! Thanks for commenting.
Again much appreciated your video! Just done my Security+ and I wish to learn so much more about HSM.
Glad it was helpful!
Very well presented, the perfect level of depth
thanks, glad you like it :)
Hi Adrian. Probably the best summary of how HSMs work from a high level. I currently perform staging/whitelisting of SQL Servers IP Addresses on nCipher RFS Servers. I understand the process pretty well, but, myself and other Engineers differ on how for instance, an nCipher HSM protects a SQL Server data encryption key (DEK). We are in meetings, and they all act like the SQL DEK is stored on the HSM. And my understanding in brief terms, goes like this: 1) SQL TDE DEK, is the key that encrypts the SQL Database file. 2) I stage the SQL Servers IP Addresses in both an HSM and RFS Config file (that the HSM will later call). 3) In order to integrate SQL Database Servers into nCipher HSM, they must first have the Entrust Security World software installed, and then the SQLEKM.dll I believe, via an Option Pack. 4) Once that's all setup, they will create some accounts, and an account that maps to the the SQLEKM.dll provider that's installed and setup on SQL Database. 5) ( THIS is where I need validation on how I think this truly works ): They will run some SQL queries to setup/create an Asymmetric Key, i.e. a call made to the SQLEKM Provider, which interfaces with the HSM. 6) The HSM Master key creates a KEK (Key Encryption Key) which is processed by the SQLEKM, and the KEK is used via the tdeLogin/tdeCredential while at the same time, being protected by the SQLEKM Provider in the Entrust (nShield or nCipher) HSM, to finally, encrypt the SQL TDE "DEK" or data encryption key, and hence, you have the HSM providing Key Management....Is my explanation somewhat close or am I off a bit? I really want to understand this process and be able to tell the guys at work, and per Entrusts documentation, that the TDEDEK Symmetric key is "created by the SQL Server and CANNOT be exported from the database, meaning it cannot be created or directly protected by the SQLEKM Provider (nShield or nCipher HSM). I'm hoping for a reply from you, and, am also hoping for more in-depth videos on Entrust (or other Vendor) HSMs and the in-depth ways the process truly works. Also interesting is it's use in PKI. That I would like to learn more as well. Thank you for your time!!
Thanks for the comment. I’ll consider adding some focussed content on this.
Thx a lot! Very clear explanation!
Thank you, great work!
This is phenomenal. I had the privilege of reading something similar, and it was absolutely phenomenal. "Mastering AWS: A Software Engineers Guide" by Nathan Vale
@LearnCantrill have you actually done the detail videos, you've mentioned? Couldn't find these on your channel.
Great stuff explained very well!
thanks for the explanation!
Glad it was helpful!
Lets say I want to store signing keys for the some tokens in HSM. Fist of all is this a good idea.? Second, if yes then does this not add latency to sign all tokens?
Excellent video thanks!
It is what I'm looking for. Thank you
This was exactly what I was looking for. Thanks.
awesome :)
Thanks for the easy explanation
Glad it was helpful!
how to make a data vault on top of HSM for storing credentials??
it depends which HSM, this video is a general concept video ... the HOW would be based entirely on what HSM you use.
You say the keys never leave the HSM, but doesn't it generate public keys that are shared with the world?
Such a great explanation 👏👏👏 . There is no such series for this. It would be great if you could make one Azure Managed HSM and how to implement it using terraform
Great suggestion!
So what are some vulnerabilities to having a HSM?
This is great, thank you very much
You're very welcome!
Amazing explanation thanks a million! One thing here how we should integrate it with KMIP?
thanks, glad you like it. KMIP is a little bit beyond the scope of this one, maybe another video :)
Great video! Which playlist should I watch to continue the HSM learning?
I don't really have (yet) any other more detailed videos on HSM
Hey Adrian I just wanted to let you know that you have added HSM Pictures in tech fundamentals learning aid in associate solution architect cource GitHub repository . I was a bit confused when I found it while going through the learning aids and instantly came here to know what HSM means
Good result then ;)
Perfect 👍
Thanks 👍
We're all in this together! Hello? Troy? Gabriella? I'm sorry. I think I'm supposed to be here tomorrow night.
Does HSM store software keys?
What do you mean by "software keys" ?
HeyCeSem :)
57131 Nichole Isle
Daron Parkways
Raspberi Pi's ??
? I don’t get what you’re asking.