Share via

Set-AzSqlInstanceTransparentDataEncryptionProtector Configuration Error

Ald Christian Santos 0 Reputation points
2024-10-25T01:39:39.38+00:00

Error: Set-AzSqlInstanceTransparentDataEncryptionProtector: Long running operation failed with status 'Failed'. Additional Info:'The requested server key was not found.'

The keyid that i used is already the one generated in the keyvault->keys->current version of the key-> Key Identifier (value)

I'm trying to setup the TDE for SQLMI and Azure Keyvault using this command in azure Power Shell

Set-AzSqlInstanceTransparentDataEncryptionProtector `

-ResourceGroupName "sampleGroup" `

-InstanceName "sampleInstance`

-Type AzureKeyVault `

-KeyId "https://<YourKeyVaultName>.vault.azure.net/keys/<YourKeyName>/<KeyVersion>

" (samplekey)

Roles given to the SQLMI : Key Vault Crypto User role and Key Vault Crypto Officer role

Azure Key vault is RBAC

Key generated using rsa 2048

key is enabled

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,310 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vinodh247 22,951 Reputation points MVP
    2024-10-27T10:49:38.4+00:00

    Hi Ald Christian Santos,

    Thanks for reaching out to Microsoft Q&A.

    The error you’re encountering with Set-AzSqlInstanceTransparentDataEncryptionProtector for Azure SQL Managed Instance (SQL MI) often indicates an issue with either permissions or configuration of the Key Vault and its integration with SQL MI. Here are some troubleshooting steps to ensure the setup is correct:

    1. Confirm Permissions on the Key Vault: Ensure that the SQL Managed Instance's Managed Identity has the following roles on the Key Vault:
      • Key Vault Crypto User (for TDE key operations).
      • Key Vault Crypto Officer (for managing the key version and lifecycle).
    2. Verify the Key Vault URI and Key Permissions:
      • Double-check the KeyId URI. It should be in this format: https://<YourKeyVaultName>.vault.azure.net/keys/<YourKeyName>/<KeyVersion>
      • Confirm that the Key Vault is in the same Azure region as the SQL MI.
    3. Key Type and Version:
      • Since you’ve specified RSA 2048, that’s appropriate for SQL MI TDE.
      • Verify that the key version specified in the URI is correct and that the key status shows as enabled in the Azure Key Vault.
    4. RBAC vs. Access Policies:
      • If the Key Vault is configured for RBAC, ensure all roles are assigned via Azure RBAC instead of traditional Access Policies.
      • Also, confirm the SQL MI’s Managed Identity is listed under Access Control (IAM) for the Key Vault if using RBAC.
    5. Network and Firewall Settings:
      • Check that firewall rules or Virtual Network (VNet) service endpoints are correctly set to allow access to the Key Vault from the SQL MI.
      • If the Key Vault is configured with VNet integration, SQL MI must be in the same VNet or have peering configured to access it.
    6. Run the Command with Logging for Details:
      • Use -Debug or -Verbose in PowerShell to capture more information on the failure if the above checks don’t resolve the issue: Set-AzSqlInstanceTransparentDataEncryptionProtector ` -ResourceGroupName "sampleGroup" ` -InstanceName "sampleInstance" ` -Type AzureKeyVault ` -KeyId "https://<YourKeyVaultName>.vault.azure.net/keys/<YourKeyName>/<KeyVersion>" ` -Debug

    If you've validated all of the above, try generating a new version of the key in Key Vault and update the TDE protector command with this new version URI, as sometimes a refresh is required to recognize the correct version.

    Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.