How to work with PKCS#11 module

Using GUI

To switch encryption to PKCS#11 module before database encryption, click "Options" and navigate to "Modules" tab.

Select module from drop-down list of modules. After module selection, it scans for attached tokens and adds its labels to token drop-down list. Login to the token if required to select the key. DbDefence lists only AES keys. Other types are not supported. Select required key from key drop-down list.

There are several restrictions on the modules. Before adding the module please read dbd_add_module

When you switch to PKCS#11 module encryption, AES-128 and AES-256 settings from "Encryption" and "Binding" does not affect encryption anymore.

PIN for Activecrypt Demo PKCS#11: 0000.

We recommend to press "Test" to check module operations on both client and server sides. It also estimates speed of encryption for a single thread. The actual speed of database encryption will be faster because SQL Server runs in multi-threaded environment.

You may generate the source code of the tool to decrypt/encrypt database. Click here to find more.

If test succeed you may continue with another settings or click "Ok" to confirm settings.

Enter encryption password as it would be done without a module. With PKCS#11 encryption the password is still used, however it does not participate in encryption directly. It is used only to check access and to initiate database decryption. Encryption is entirely performed by the module.

Click "Encrypt" to start Encryption

Using command line

There are 4 additional parameters to encrypt the database using PKCS module from command line:

-m module name

-O slot number

-i token pin

-l key label


dbencrypt.exe -S .\myserver -d testdb -p SrongPass -m etoken -O 1 -i 1111 -l keylabel

Demo PKCS#11 Module

Activecrypt Software provides very basic PKCS#11 module. It contains only one token and only one AES key. Token password '0000'.

Token implements basic encryption with random access cipher. Activecrypt customers may get the source code.