Does EKM work with CNG key storage providers?

Question

https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/extensible-key-management-ekm says :

SQL Server provides data encryption capabilities together with Extensible Key Management (EKM), using the Microsoft Cryptographic API (MSCAPI) provider for encryption and key generation.

Does this mean that EKM will only work with MSCAPI(old CSP) and not with new CNG key storage provider?

Answer 1

Yes, at the moment the EKM (Extensible Key Management) works only with MSCAPI. The EKM does not have any API to communicate with CNG (OS level - yet).

It is the "holder" of the keys. The CNG is key storage that serves MS Windows, being default starting with Windows Server 2008 and Windows Vista.

CNG vs. EKM

The CNG (DPAPI [CNG DPAPI][1] is used only to protect Database Master Key (OS). EKM does not use it.

From the CNG point of view

If you check the CNG architecture it specifically says it is using Microsoft software KSP for (private) keys storage.

To quote:

CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default.

Even the CNG architecture image does not mention SQL Server as possibility:

For more see Key Storage and Retrieval

Note: all illustrations were created by Microsoft.