New-SqlColumnMasterKey
Creates a column master key object in the database.
Syntax
New-SqlColumnMasterKey
-ColumnMasterKeySettings <SqlColumnMasterKeySettings>
[-Name] <String>
[-InputObject] <Database>
[-Script]
[-AccessToken <PSObject>]
[-TrustServerCertificate]
[-HostNameInCertificate <String>]
[-Encrypt <String>]
[<CommonParameters>] New-SqlColumnMasterKey
-ColumnMasterKeySettings <SqlColumnMasterKeySettings>
[-Name] <String>
[[-Path] <String>]
[-Script]
[-AccessToken <PSObject>]
[-TrustServerCertificate]
[-HostNameInCertificate <String>]
[-Encrypt <String>]
[<CommonParameters>] Description
The New-SqlColumnMasterKey cmdlet creates a column master key object in the database. A column master key object captures the location of a physical cryptographic key that is intended to be used as a column master key for the Always Encrypted feature.
Examples
Example 1: Create a column master key object that references a certificate
$CmkSettings = New-SqlCertificateStoreColumnMasterKeySettings -CertificateStoreLocation 'CurrentUser' -CertificateThumbprint 'f2260f28d909d21c642a3d8e0b45a830e79a1420'
New-SqlColumnMasterKey -Name 'CMK1' -ColumnMasterKeySettings $CmkSettingsThe first command uses the New-SqlCertificateStoreColumnMasterKeySettings cmdlet to create a column
master settings referencing a certificate in Windows Certificate Store and stores the result in the
variable named $CmkSettings.
Example 2: Create a column master key object that references a key in Azure Key Vault
$CmkSettings = New-SqlAzureKeyVaultColumnMasterKeySettings -KeyUrl 'https://myvault.vault.contoso.net/keys/CMK/4c05f1a41b12488f9cba2ea964b6a700'
New-SqlColumnMasterKey 'CMK1' -ColumnMasterKeySettings $CmkSettingsThe first command uses the New-SqlCertificateStoreColumnMasterKeySettings cmdlet to create
column master key object referencing a key in Azure Key Vault and stores the result in the
variable named $CmkSettings.
Example 3: Create a column master key object that references a key supporting CNG
$CmkSettings = New-SqlCngColumnMasterKeySettings -CngProviderName 'Microsoft Software Key Storage Provider' -KeyName 'AlwaysEncryptedKey'
New-SqlColumnMasterKey 'CMK1' -ColumnMasterKeySettings $CmkSettingsThe first command uses the New-SqlCertificateStoreColumnMasterKeySettings cmdlet to create column
master key object referencing a key in a key store supporting the Cryptography Next Generation (CNG)
API and stores the result in the variable named $CmkSettings.
Example 4: Create a column master key object that references a key supporting CSP
$CmkSettings = New-SqlCspColumnMasterKeySettings 'MyCspProvider' 'AlwaysEncryptedKey'
New-SqlColumnMasterKey 'CMK1' -ColumnMasterKeySettings $CmkSettingsThe first command uses the New-SqlCertificateStoreColumnMasterKeySettings cmdlet to create column master key object referencing a key in a key store key store with a Cryptography Service Provider (CSP) supporting Cryptography API (CAPI).
Example 5: Create a column master key object that references a certificate, it is auto-signed and supports enclave computations
$CmkSettings = New-SqlCertificateStoreColumnMasterKeySettings -CertificateStoreLocation 'CurrentUser' -CertificateThumbprint 'f2260f28d909d21c642a3d8e0b45a830e79a1420' -AllowEnclaveComputations
New-SqlColumnMasterKey -Name 'CMK1' -ColumnMasterKeySettings $CmkSettingsThe first command uses the New-SqlCertificateStoreColumnMasterKeySettings cmdlet to create column master settings referencing a certificate that supports enclave computations and is stored in Windows Certificate Store.
Parameters
-AccessToken
The access token used to authenticate to SQL Server, as an alternative to user/password or Windows Authentication.
This can be used, for example, to connect to SQL Azure DB and SQL Azure Managed Instance
using a Service Principal or a Managed Identity.
The parameter to use can be either a string representing the token or a PSAccessToken object as returned by running Get-AzAccessToken -ResourceUrl https://database.windows.net.
This parameter is new in v22 of the module.
| Type: | PSObject |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ColumnMasterKeySettings
Specifies the SqlColumnMasterKeySettings object that specifies the location of the actual column master key.
The SqlColumnMasterKeySettings object has two properties: KeyStoreProviderName and KeyPath.
KeyStoreProviderName specifies the name of a column master key store provider, which an Always Encrypted-enabled client driver must use to access the key store containing the column master key.
KeyPath specifies the location of the column master key within the key store. The KeyPath format is specific to the key store.
| Type: | SqlColumnMasterKeySettings |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Encrypt
The encryption type to use when connecting to SQL Server.
This value maps to the Encrypt property SqlConnectionEncryptOption on the SqlConnection object of the Microsoft.Data.SqlClient driver.
In v22 of the module, the default is Optional (for compatibility with v21). In v23+ of the module, the default value will be 'Mandatory', which may create a breaking change for existing scripts.
This parameter is new in v22 of the module.
| Type: | String |
| Accepted values: | Mandatory, Optional, Strict |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-HostNameInCertificate
The host name to be used in validating the SQL Server TLS/SSL certificate. You must pass this parameter if your SQL Server instance is enabled for Force Encryption and you want to connect to an instance using hostname/shortname. If this parameter is omitted then passing the Fully Qualified Domain Name (FQDN) to -ServerInstance is necessary to connect to a SQL Server instance enabled for Force Encryption.
This parameter is new in v22 of the module.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-InputObject
Specifies the SQL database object, for which this cmdlet runs the operation.
| Type: | Database |
| Position: | 2 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Name
Specifies the name of the column master key object that this cmdlet creates.
| Type: | String |
| Position: | 1 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Path
Specifies the path of the SQL database, for which this cmdlet runs the operation. If you do not specify a value for this parameter, the cmdlet uses the current working location.
| Type: | String |
| Position: | 2 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Script
Indicates that this cmdlet returns a Transact-SQL script that performs the task that this cmdlet performs.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TrustServerCertificate
Indicates whether the channel will be encrypted while bypassing walking the certificate chain to validate trust.
In v22 of the module, the default is $true (for compatibility with v21). In v23+ of the module, the default value will be '$false', which may create a breaking change for existing scripts.
This parameter is new in v22 of the module.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
Microsoft.SqlServer.Management.Smo.Database
Outputs
Microsoft.SqlServer.Management.Smo.SqlColumnMasterKey