The extensible key management (EKM) feature allows third-party enterprise key management and hardware security module (HSM) vendors to register their devices in SQL Server.

Once registered, SQL Server users can use the encryption keys stored on these modules, as well as leveraging the advanced encryption features that these modules support, such as bulk encryption/decryption and many key management functions such as key ageing and key rotation.

Data can be encrypted and decrypted using TSQL cryptographic statements, and SQL Server uses the external EKM device as the key store.