question

AndriiSydorenko-PE avatar image
0 Votes"
AndriiSydorenko-PE asked JamesTran-MSFT edited

Azure Keyvault EKM with FCI cluster

Hi.
We have a SQL FCI cluster and would like to implement Extensible Key Management Using Azure Key Vault for backup encryption.
I have made all configurations according to the guide (https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault?view=sql-server-ver15&tabs=portal) and everything looked good. I have successfully tested backup and restore. But when I move the cluster to a secondary node I can't do any backups or restores and receive an error:
Msg 15209, Level 16, State 24, Line 3
An error occurred during encryption.
Msg 3013, Level 16, State 1, Line 3
BACKUP DATABASE is terminating abnormally.
After several hours I was identified that Azure EKM wrote some information into [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQL Server Cryptographic Provider] registry key and of course these settings not migrating between cluster nodes.
82775-image.png
82827-image.png
When I import this setting on the secondary node all my backup jobs started working.
Is it possible to automatically synchronize these settings between nodes or store this information in master DB or other clustered DB?


sql-server-general
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AndreySidorenko-6059
Thank you for your post and I apologize for the delayed response! I'm glad that you were able to import the registry key settings onto the secondary node so all your backup jobs can continue working.

  • When it comes to moving your cluster to a secondary node, was there a reason for this?

  • For the registry key settings, is this specifically the AKV Key name/GUID as shown in your screenshots, that you migrated over?


Any additional details would be greatly appreciated.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·

Hello James

  • When it comes to moving your cluster to a secondary node, was there a reason for this?
    It was a normal test. This cluster not in production and I need to know if everything is working fine.

  • For the registry key settings, is this specifically the AKV Key name/GUID as shown in your screenshots, that you migrated over?
    Yes. KeyName/GUID match to the KeyName/Version in Azure KeyVault. These registry settings are created when you enter the next command:

      CREATE ASYMMETRIC KEY EKMSampleASYKey
         FROM PROVIDER [AzureKeyVault_EKM]  
         WITH PROVIDER_KEY_NAME = 'ContosoRSAKey0',  
         CREATION_DISPOSITION = OPEN_EXISTING
    
0 Votes 0 ·

@AndreySidorenko-6059
Thank you for the quick follow up and responses!

I'll reach out to our AKV team and update as soon as possible on - it's possible to automatically synchronize these settings between nodes or store this information in master DB or other clustered DB?


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·
Show more comments

0 Answers