No SQL connector for Azure Key Vault in SQL Managed Instance

Surbhi Nijhara 26 Reputation points
2020-09-11T11:28:20.85+00:00

Hi,

The SQL connector for Azure Key Vault is not pre-installed and configured in Azure SQL Managed Instance.
This prevents from using Column level Encryption using Key from AKV.

Please note, that The 'Always Encrypted' feature does not meet my business requirements, hence I need to use traditional CLE feature but with AKV on a SQL Managed Instance.

TDE on SQL Managed instance using BYOK (i.e. from Azure Key Vault) is possible , which means that inherently a Key vault connector must be getting used. However it is not available if CLE is to be used.

Should not this be a default installable available in SQL Managed Instance?

Thanks.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,107 questions
Azure SQL Database
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. David Browne - msft 3,766 Reputation points
    2020-09-11T20:48:38.65+00:00

    Should not this be a default installable available in SQL Managed Instance?

    Perhaps it should, but it currently is not. You can create a product feedback item here.

    Here are some possible workarounds.

    You could encrypt with key protected by a Database Master Key in a BYOK TDE encrypted database.

    You could store a password in AKV and supply it from the application layer to open a symmetric key or certificate.

    Please add to your feedback item enough information about your scenario to motivate the request. And also whether AlwaysEncrypted with Secure Enclaves would be a good fit for your scenario.

    0 comments
  2. Surbhi Nijhara 26 Reputation points
    2020-09-14T07:41:23.35+00:00

    anonymous usere-msft , Thanks for your response.
    1)'You could encrypt with key protected by a Database Master Key in a BYOK TDE encrypted database.' - This was tried and I was hoping this to work. However fails with error of not finding the provider-

    Msg 15151, Level 16, State 1, Line 20
    Cannot find the cryptographic provider 'AzureKeyVault_EKM', because it does not exist or you do not have permission.

    We are unable to create the provider because of the missing connector.

    2) 'You could store a password in AKV and supply it from the application layer to open a symmetric key or certificate.'
    Could you please elaborate this further how to do this? Can I pass the AKV key while connecting to the database, in a connection url?

    Thanks,
    Surbhi

    0 comments