Error Transparent Database Encryption with Azure Key Vault

J H 1 Reputation point
2022-02-07T22:56:20.397+00:00

Hi,

I am new at AKV. I am working on TDE with AKV. The below command error out

USE [<DatabaseName>]
GO

CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER ASYMMETRIC <Asymmnetric key>
GO

Msg 15209, Level 16, State 24, Line 83
An error occurred during encryption.

When I look in sql log, It's just memory dump. However, when I look in EventViewer, I see

Vault Name: <VaultName>.vault.azure.net
Operation: wrapKey
Key Name: <keyname/version>
Message: [error:113, info:403, state:0] The server responded 403, because the user does not have proper permission to perform the action. Please make sure you have the permission for the specified operation. At minimum,'get, wrapKey, unwrapKey' permissions are required.

I checked with my network team and they confirm that the permissions are there. I thought if the permissions are not there, I would not be able to create SQL Asymmetric key.

I am using SQL 2019 Enterprise edition.

Have anyone run into this issue?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,163 questions
SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,086 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,446 Reputation points
    2022-02-08T09:38:29.717+00:00

    @J H • How have you acquired the token to call Key Vault for the wrapKey operation? Please check if the token acquisition is done under user context or application context and make sure the correct entity is given the Wrap Key permission either via Access Policy or RBAC. For testing purposes, you may try the Wrap Key REST Call to perform this operation by using the token as bearer token in the Authorization header of the REST API call. You can also try capturing the token via fiddler trace or by applying breakpoint in application code and decoding the token at https://jwt.ms to see if the token is issued to User or Application and check if it is issued to the correct audience, which should be https://vault.azure.net.

    To get more details about the operation and error, you may consider enabling Azure Key Vault logging.