SQL Server Connector for Azure Key Vault is Generally Available

Starting today, the SQL Server Connector for Azure Key Vault is Generally Available!

The SQL Server Connector is an Extensible Key Management (EKM) Provider that enables SQL Server to use Azure Key Vault as a place to protect and manage SQL encryption keys. This means that you can use your own encryption keys for SQL Server encryption and protect them in Azure Key Vault. With Azure Key Vault, you can benefit from having a separate central cloud-based key management system, the option to use hardware security modules (HSMs), and promotion of separation of duties by being able to separate key management from data management for additional security. The SQL Server Connector is available for Transparent Data Encryption (TDE), Column Level Encryption (CLE), and Backup Encryption.

When using these SQL encryption technologies, your data is encrypted with a symmetric key (called the database encryption key) stored in the database. Traditionally (without Azure Key Vault), a certificate that SQL Server manages would protect this data encryption key (DEK). With Azure Key Vault integration for SQL Server through the SQL Server Connector, you can protect the DEK with an asymmetric key that is stored in Azure Key Vault. This way, you can assume control over the key management, and have it be in a separate key management service outside of SQL Server.

The SQL Server Connector is especially useful for those using SQL Server-in-a-VM (IaaS) who want to leverage Azure Key Vault for managing their encryption keys. SQL IaaS is the simplest way to deploy and run SQL Server, and it is optimized for extending existing on-premises SQL Server applications to the cloud in a hybrid IaaS scenario, or supporting a migration scenario.


The following image illustrates one way an organization can use the SQL Server Connector. A SQL Server administrator would manage the data stored in the SQL Server instance while a security administrator manages key vaults and master keys that are used for SQL Server encryption, and an auditor can review key usage through audit logs.


The SQL Server Connector for Microsoft Azure Key Vault is available for all Enterprise versions of SQL IaaS and SQL Server starting with 2008/2008 R2 through the recently released version of 2016.

If you’re new to the SQL Server Connector, you can get started with the following:

  1. Read the overview page on EKM to learn more
  2. Download the latest GA version of the SQL Server Connector at the Microsoft Download Center
  3. Follow the Setup steps for EKM with SQL Server Connector and Azure Key Vault

If you’re already using the SQL Server Connector, we highly recommend that you update to the latest GA version:

  1. Download the latest GA version of the SQL Server Connector at the Microsoft Download Center
  2. Follow the upgrade steps under “Upgrade of SQL Server Connector” on the Maintenance & Troubleshooting Page

Note that only Version and newer versions are Generally Available and supported for production workloads. Versions and older have been replaced and will not be supported under GA.

As always, we’ll be listening to your feedback and questions on: