SqlColumnEncryptionAzureKeyVaultProvider Class

Reference

Definition

Namespace:: Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider

Assembly:: Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.dll

Package:: Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider v3.0.0

Package:: Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider v5.1.0

Important

Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Implementation of column master key store provider that allows client applications to access data when a column master key is stored in Microsoft Azure Key Vault.

For more information on Always Encrypted, please refer to: https://aka.ms/AlwaysEncrypted.

A Column Encryption Key encrypted with certificate store provider should be decryptable by this provider and vice versa.

Envelope Format for the encrypted column encryption key : version + keyPathLength + ciphertextLength + keyPath + ciphertext + signature

version: A single byte indicating the format version.
keyPathLength: Length of the keyPath.
ciphertextLength: ciphertext length
keyPath: keyPath used to encrypt the column encryption key. This is only used for troubleshooting purposes and is not verified during decryption.
ciphertext: Encrypted column encryption key
signature: Signature of the entire byte array. Signature is validated before decrypting the column encryption key.

public ref class SqlColumnEncryptionAzureKeyVaultProvider : Microsoft::Data::SqlClient::SqlColumnEncryptionKeyStoreProvider

public class SqlColumnEncryptionAzureKeyVaultProvider : Microsoft.Data.SqlClient.SqlColumnEncryptionKeyStoreProvider

type SqlColumnEncryptionAzureKeyVaultProvider = class
    inherit SqlColumnEncryptionKeyStoreProvider

Public Class SqlColumnEncryptionAzureKeyVaultProvider
Inherits SqlColumnEncryptionKeyStoreProvider

Inheritance: Object

SqlColumnEncryptionKeyStoreProvider
SqlColumnEncryptionAzureKeyVaultProvider

Remarks

For more information, see: Using the Azure Key Vault Provider

Constructors

SqlColumnEncryptionAzureKeyVaultProvider(TokenCredential)	Constructor that takes an implementation of Token Credential that is capable of providing an OAuth Token.
SqlColumnEncryptionAzureKeyVaultProvider(TokenCredential, String)	Constructor that takes an implementation of Token Credential that is capable of providing an OAuth Token and a trusted endpoint.
SqlColumnEncryptionAzureKeyVaultProvider(TokenCredential, String[])	Constructor that takes an instance of an implementation of Token Credential that is capable of providing an OAuth Token and an array of trusted endpoints.

Fields

ProviderName	Column Encryption Key Store Provider string
TrustedEndPoints	List of Trusted Endpoints

Properties

ColumnEncryptionKeyCacheTtl

Gets or sets the lifespan of the decrypted column encryption key in the cache. Once the timespan has elapsed, the decrypted column encryption key is discarded and must be revalidated.

Methods

DecryptColumnEncryptionKey(String, String, Byte[])	This function uses the asymmetric key specified by the key path and decrypts an encrypted CEK with RSA encryption algorithm.
EncryptColumnEncryptionKey(String, String, Byte[])	This function uses the asymmetric key specified by the key path and encrypts CEK with RSA encryption algorithm.
SignColumnMasterKeyMetadata(String, Boolean)	Uses an asymmetric key identified by the key path to sign the master key metadata consisting of (masterKeyPath, allowEnclaveComputations bit, providerName).
VerifyColumnMasterKeyMetadata(String, Boolean, Byte[])	Uses an asymmetric key identified by the key path to verify the master key metadata consisting of (masterKeyPath, allowEnclaveComputations bit, providerName).

Applies to