Set up SQL Server TDE Extensible Key Management by using Azure Key Vault

Applies to: yesSQL Server (all supported versions)

In this article, you install and configure the SQL Server Connector for Azure Key Vault.

Prerequisites

Before you begin using Azure Key Vault with your SQL Server instance, be sure that you've met the following prerequisites:

Step 1: Set up an Azure AD service principal

To grant your SQL Server instance access permissions to your Azure key vault, you need a service principal account in Azure AD.

  1. Sign in to the Azure portal, and do either of the following:

    • Select the Azure Active Directory button.

      Screenshot of the "Azure services" pane

    • Select More services and then, in the All services box, type Azure Active Directory.

      Screenshot of the "All Azure services" pane

  2. Register an application with Azure Active Directory by doing the following. (For detailed step-by-step instructions, see the "Get an identity for the application" section of the Azure Key Vault blog post.)

    a. On the Azure Active Directory Overview pane, select App registrations.

    Screenshot of the "Azure Active Directory Overview" pane

    b. On the App registrations pane, select New registration.

    Screenshot of the "App registrations" pane

    c. On the Register an application pane, enter the user-facing name for the app, and then select Register.

    Screenshot of the "Register an application" pane

    d. In the left pane, select Certificates & secrets, and then select New client secret.

    Screenshot of the "Certificates & secrets" pane

    e. Under Add a client secret, enter a description and an appropriate expiration, and then select Add.

    Screenshot of the "Add a client secret" section

    f. On the Certificates & secrets pane, under "Value", select the Copy button next to the value of the client secret to be used to create an asymmetric key in SQL Server.

    Screenshot of the secret value

    g. In the left pane, select Overview and then, in the Application (client) ID box, copy the value to be used to create an asymmetric key in SQL Server.

    Screenshot of the "Application (client) ID" value on the Overview pane

Step 2: Create a key vault

Select the method you want to use to create a key vault.

Create a key vault by using the Azure portal

You can use the Azure portal to create the key vault and then add an Azure AD principal to it.

  1. Create a resource group.

    All Azure resources that you create via the Azure portal must be contained in a resource group, which you create to house your key vault. The resource name in this example is ContosoDevRG. Choose your own resource group and key vault name, because all key vault names must be globally unique.

    On the Create a resource group pane, under Project details, enter the values, and then select Review + create.

    Screenshot of the "Create a resource group" pane

  2. Create a key vault.

    On the Create key vault pane, select the Basics tab, enter the appropriate values, and then select Review + create.

    Screenshot of the "Create key vault" pane

  3. On the Access policies pane, select Add Access Policy.

    Screenshot of the "Add Access Policy" link on the "Access policies" pane

  4. On the Add access policy pane, do the following:

    a. In the Configure from template (optional) drop-down list, select Key Management.

    b. In the left pane, select the Key permissions tab, and then verify the Get, List, Unwrap Key, and Wrap Key check boxes are selected.

    c. Select Add.

    Screenshot of the "Add access policy" pane

  5. In the left pane, select the Select principal tab, and then do the following:

    a. In the Principal pane, under Select, start typing the name of your Azure AD application and then, in the results list, select the application you want to add.

    Screenshot of application search box on the Principal pane

    b. Select the Select button to add the principal to your key vault.

    Screenshot of the Select button on the Principal pane

    c. At the lower left, select Add to save your changes.

    Screenshot of the Add button on the "Add access policy" pane

  6. On the Key Vault pane, select Keys and enter a key vault name. Use key type RSA and RSA Key Size 2048. Set activation and expiration dates as appropriate and set Enabled? as Yes.

    Screenshot of the "Create Key"pane

  7. On the Access policies pane, select Save.

    Screenshot of the Save button on the "Add access policy" pane

Step 3: Install the SQL Server Connector

Download the SQL Server Connector from the Microsoft Download Center. The download should be done by the administrator of the SQL Server computer.

Note

  • SQL Server Connector versions 1.0.0.440 and older have been replaced and are no longer supported in production environments and using the instructions on the SQL Server Connector Maintenance & Troubleshooting page under Upgrade of SQL Server Connector.
  • Starting with version 1.0.3.0, the SQL Server Connector reports relevant error messages to the Windows event logs for troubleshooting.
  • Starting with version 1.0.4.0, there is support for private Azure clouds, including Azure China, Azure Germany, and Azure Government.
  • There is a breaking change in version 1.0.5.0 in terms of the thumbprint algorithm. You may experience database restore failures after upgrading to 1.0.5.0. For more information, see KB article 447099.
  • Starting with version 1.0.5.0 (TimeStamp: September 2020), the SQL Server Connector supports filtering messages and network request retry logic.
  • Starting with updated version 1.0.5.0 (TimeStamp: November 2020), the SQL Server Connector supports RSA 2048, RSA 3072, RSA-HSM 2048 and RSA-HSM 3072 keys.

Screenshot of the SQL Server Connector installation wizard

By default, the Connector is installed at C:\Program Files\SQL Server Connector for Microsoft Azure Key Vault. This location can be changed during setup. If you do change it, adjust the scripts in the next section.

There's no interface for the Connector, but if it's installed successfully, the Microsoft.AzureKeyVaultService.EKM.dll is installed on the machine. This assembly is the cryptographic EKM provider DLL that needs to be registered with SQL Server by using the CREATE CRYPTOGRAPHIC PROVIDER statement.

The SQL Server Connector installation also allows you to optionally download sample scripts for SQL Server encryption.

To view error code explanations, configuration settings, or maintenance tasks for the SQL Server Connector, see:

Step 4: Configure SQL Server

For a note about the minimum permission levels needed for each action in this section, see B. Frequently Asked Questions.

  1. Run sqlcmd.exe or open SQL Server Management Studio.

  2. Configure SQL Server to use EKM by running the following Transact-SQL script:

    -- Enable advanced options.  
    USE master;  
    GO  
    
    EXEC sp_configure 'show advanced options', 1;  
    GO  
    RECONFIGURE;  
    GO  
    
    -- Enable EKM provider  
    EXEC sp_configure 'EKM provider enabled', 1;  
    GO  
    RECONFIGURE;  
    
  3. Register the SQL Server Connector as an EKM provider with SQL Server.

    Create a cryptographic provider by using the SQL Server Connector, which is an EKM provider for the Azure key vault. In this example, the provider name is AzureKeyVault_EKM.

    CREATE CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM
    FROM FILE = 'C:\Program Files\SQL Server Connector for Microsoft Azure Key Vault\Microsoft.AzureKeyVaultService.EKM.dll';  
    GO  
    

    Note

    The file path length can't exceed 256 characters.

  4. Set up a SQL Server credential for a SQL Server login to use the key vault.

    A credential must be added to each login that will perform encryption by using a key from the key vault. This might include:

    • A SQL Server administrator login that uses the key vault to set up and manage SQL Server encryption scenarios.

    • Other SQL Server logins that might enable TDE or other SQL Server encryption features.

    There is one-to-one mapping between credentials and logins. That is, each login must have a unique credential.

    Modify this Transact-SQL script in the following ways:

    • Edit the IDENTITY argument (ContosoEKMKeyVault) to point to your Azure key vault.

      • If you're using global Azure, replace the IDENTITY argument with the name of your Azure key vault from Step 2: Create a key vault.
      • If you're using a private Azure cloud (for example, Azure Government, Azure China 21Vianet, or Azure Germany), replace the IDENTITY argument with the Vault URI that's returned in step 3 of the Create a key vault and key by using PowerShell section. Don't include "https://" in the Vault URI.
    • Replace the first part of the SECRET argument with the Azure Active Directory Client ID from Step 1: Set up an Azure AD service principal. In this example, the Client ID is 9A57CBC54C4C40E2B517EA677E0EFA00.

      Important

      Be sure to remove the hyphens from the App (Client) ID.

    • Complete the second part of the SECRET argument with Client Secret from Step 1: Set up an Azure AD service principal. In this example, the Client Secret is 08:k?[:XEZFxcwIPvVVZhTjHWXm7w1?m. The final string for the SECRET argument will be a long sequence of letters and numbers, without hyphens.

    USE master;  
    CREATE CREDENTIAL sysadmin_ekm_cred
        WITH IDENTITY = 'ContosoEKMKeyVault',                            -- for public Azure
        -- WITH IDENTITY = 'ContosoEKMKeyVault.vault.usgovcloudapi.net', -- for Azure Government
        -- WITH IDENTITY = 'ContosoEKMKeyVault.vault.azure.cn',          -- for Azure China 21Vianet
        -- WITH IDENTITY = 'ContosoEKMKeyVault.vault.microsoftazure.de', -- for Azure Germany
               --<----Application (Client) ID ---><--Azure AD app (Client) ID secret-->
        SECRET = '9A57CBC54C4C40E2B517EA677E0EFA0008:k?[:XEZFxcwIPvVVZhTjHWXm7w1?m'
    FOR CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM;  
    
    -- Add the credential to the SQL Server administrator's domain login
    ALTER LOGIN [<domain>\<login>]  
    ADD CREDENTIAL sysadmin_ekm_cred;  
    

    For an example of using variables for the CREATE CREDENTIAL argument and programmatically removing the hyphens from the Client ID, see CREATE CREDENTIAL (Transact-SQL).

  5. Open your Azure key vault key in your SQL Server instance.

    Whether you created a new key or imported an asymmetric key, as described in Step 2: Create a key vault, you will need to open the key. Open it by providing your key name in the following Transact-SQL script.

    • Replace EKMSampleASYKey with the name you'd like the key to have in SQL Server.
    • Replace ContosoRSAKey0 with the name of your key in your Azure key vault.
    CREATE ASYMMETRIC KEY EKMSampleASYKey
    FROM PROVIDER [AzureKeyVault_EKM]  
    WITH PROVIDER_KEY_NAME = 'ContosoRSAKey0',  
    CREATION_DISPOSITION = OPEN_EXISTING;  
    
  6. Create a new login by using the asymmetric key in SQL Server that you created in the preceding step.

    --Create a Login that will associate the asymmetric key to this login
    CREATE LOGIN TDE_Login
    FROM ASYMMETRIC KEY EKMSampleASYKey;
    
  7. Create a new login from the asymmetric key in SQL Server. Drop the credential mapping from Step 4: Configure SQL Server so that the credentials can be mapped to the new login.

    --Now drop the credential mapping from the original association
    ALTER LOGIN [<domain>\<login>]
    DROP CREDENTIAL sysadmin_ekm_cred;
    
  8. Alter the new login, and map the EKM credentials to the new login.

    --Now add the credential mapping to the new Login
    ALTER LOGIN TDE_Login
    ADD CREDENTIAL sysadmin_ekm_cred;
    
  9. Create a test database that will be encrypted with the Azure key vault key.

    --Create a test database that will be encrypted with the Azure key vault key
    CREATE DATABASE TestTDE
    
  10. Create a database encryption key by using the ASYMMETRIC KEY (EKMSampleASYKey).

    --Create an ENCRYPTION KEY using the ASYMMETRIC KEY (EKMSampleASYKey)
    CREATE DATABASE ENCRYPTION KEY
    WITH ALGORITHM = AES_256
    ENCRYPTION BY SERVER ASYMMETRIC KEY EKMSampleASYKey;
    
  11. Encrypt the test database. Enable TDE by setting ENCRYPTION ON.

    --Enable TDE by setting ENCRYPTION ON
    ALTER DATABASE TestTDE
    SET ENCRYPTION ON;  
    
  12. Clean up the test objects. Delete all the objects that were created in this test script.

    -- CLEAN UP
    USE Master
    ALTER DATABASE [TestTDE] SET SINGLE_USER WITH ROLLBACK IMMEDIATE
    DROP DATABASE [TestTDE]
    
    ALTER LOGIN [TDE_Login] DROP CREDENTIAL [sysadmin_ekm_cred]
    DROP LOGIN [TDE_Login]
    
    DROP CREDENTIAL [sysadmin_ekm_cred]  
    
    USE MASTER
    DROP ASYMMETRIC KEY [EKMSampleASYKey]
    DROP CRYPTOGRAPHIC PROVIDER [AzureKeyVault_EKM]
    

For sample scripts, see the blog at SQL Server Transparent Data Encryption and Extensible Key Management with Azure Key Vault.

Next steps

Now that you've completed the basic configuration, see Use the SQL Server Connector with SQL encryption features.

See also