How to Work with the PKCS#11 Module

Using GUI

To switch encryption to the PKCS#11 module before database encryption, click "Options" and navigate to the "Modules" tab.

Select the module from the drop-down list of modules. After module selection, DbDefence scans for attached tokens and adds its labels to token drop-down list. Login to the token if required to select the key. DbDefence lists only AES keys. Other types are not supported. Select the required key from the key drop-down list.

There are several restrictions on the modules. Before adding the module please read dbd_add_module

When you switch to PKCS#11 module encryption, AES-128 and AES-256 settings from "Encryption" and "Binding" no longer affect encryption anymore.

PIN for Activecrypt Demo PKCS#11: 0000.

We recommend pressing "Test" to check module operations on both client and server sides. This also estimates the speed of encryption for a single thread. The actual speed of database encryption will be faster because SQL Server runs in a multi-threaded environment.

You may generate the source code of the tool to decrypt/encrypt the database. Click here to find more.

If the test succeeds you may continue with another setting or click "Ok" to confirm the settings.

Enter the encryption password as you would without a module. With PKCS#11 encryption, the password is still used. However, it does not directly participate in encryption. It is used only to check access and to initiate database decryption. Encryption is performed entirely by the module.

Click "Encrypt" to start Encryption

Using command line

There are 4 additional parameters to encrypt the database using the PKCS module from command line:

-m module name

-O slot number

-i token pin

-l key label

Example:

dbencrypt.exe -S .\myserver -d testdb -p SrongPass -m etoken -O 1 -i 1111 -l keylabel

Demo PKCS#11 module

Activecrypt Software provides a very basic PKCS#11 module. It contains only one token and only one AES key. Token password '0000'.

Token implements basic encryption with a random access cipher. Activecrypt customers may get the source code.