Azure Keyvault EKM with FCI cluster

Andrii Sydorenko 21

Hi.
We have a SQL FCI cluster and would like to implement Extensible Key Management Using Azure Key Vault for backup encryption.
I have made all configurations according to the guide (https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault?view=sql-server-ver15&tabs=portal) and everything looked good. I have successfully tested backup and restore. But when I move the cluster to a secondary node I can't do any backups or restores and receive an error:
Msg 15209, Level 16, State 24, Line 3
An error occurred during encryption.
Msg 3013, Level 16, State 1, Line 3
BACKUP DATABASE is terminating abnormally.
After several hours I was identified that Azure EKM wrote some information into [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQL Server Cryptographic Provider] registry key and of course these settings not migrating between cluster nodes.

When I import this setting on the secondary node all my backup jobs started working.
Is it possible to automatically synchronize these settings between nodes or store this information in master DB or other clustered DB?

JamesTran-MSFT 36,371 Reputation points Microsoft Employee

2021-04-06T20:05:12.413+00:00
@AndreySidorenko-6059
Thank you for your post and I apologize for the delayed response! I'm glad that you were able to import the registry key settings onto the secondary node so all your backup jobs can continue working.

When it comes to moving your cluster to a secondary node, was there a reason for this?

For the registry key settings, is this specifically the AKV Key name/GUID as shown in your screenshots, that you migrated over?

Any additional details would be greatly appreciated.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Andrii Sydorenko 21 Reputation points

2021-04-07T08:18:00.57+00:00
Hello James

When it comes to moving your cluster to a secondary node, was there a reason for this?
It was a normal test. This cluster not in production and I need to know if everything is working fine.

For the registry key settings, is this specifically the AKV Key name/GUID as shown in your screenshots, that you migrated over?
Yes. KeyName/GUID match to the KeyName/Version in Azure KeyVault. These registry settings are created when you enter the next command: CREATE ASYMMETRIC KEY EKMSampleASYKey
FROM PROVIDER [AzureKeyVault_EKM]
WITH PROVIDER_KEY_NAME = 'ContosoRSAKey0',
CREATION_DISPOSITION = OPEN_EXISTING
JamesTran-MSFT 36,371 Reputation points Microsoft Employee

2021-04-07T19:13:26.39+00:00

@AndreySidorenko-6059
Thank you for the quick follow up and responses!

I'll reach out to our AKV team and update as soon as possible on - it's possible to automatically synchronize these settings between nodes or store this information in master DB or other clustered DB?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
JamesTran-MSFT 36,371 Reputation points Microsoft Employee

2021-04-07T20:19:46.317+00:00

@AndreySidorenko-6059
Thank you for your time and patience throughout this issue!

I spoke with our AKV team and since your question is about - synchronizing registry settings between nodes or storing this information in a master DB or other clustered DB, this issue is more related to SQL server. Therefore, I'll add the "sql-server-general" tag to this thread and remove the "azure-key-vault" tag.

Please allow some time for our SQL server community to look into this issue and respond to your thread.
Thank you again for your time and patience throughout this issue.