Bemærk
Adgang til denne side kræver godkendelse. Du kan prøve at logge på eller ændre mapper.
Adgang til denne side kræver godkendelse. Du kan prøve at ændre mapper.
Applies to:
SQL Server
In this article, you install and configure the SQL Server Connector for Azure Key Vault, and then configure Transparent Data Encryption (TDE) by using a key in Azure Key Vault.
Prerequisites
Before you begin using Azure Key Vault with your SQL Server instance, make sure that you meet the following prerequisites:
You must have an Azure subscription.
Create a Microsoft Entra tenant.
Review the principles of Extensible Key Management (EKM) storage with Azure Key Vault. See Extensible Key Management Using Azure Key Vault (SQL Server).
You can modify the registry on the SQL Server computer.
Install the version of Visual Studio C++ Redistributable that's based on the version of SQL Server that you're running:
SQL Server version Visual Studio C++ Redistributable version 2008, 2008 R2, 2012, 2014 Visual C++ Redistributable packages for Visual Studio 2013 2016, 2017, 2019, 2022, 2025 Visual C++ Redistributable for Visual Studio 2015 Read Access Azure Key Vault behind a firewall if you plan to use the SQL Server Connector for Azure Key Vault behind a firewall or with a proxy server.
Note
In SQL Server 2022 (16.x) CU 12 and later versions, SQL Server on Linux supports TDE Extensible Key Management with Azure Key Vault. Steps 3 and 4 in this guide aren't required for SQL Server on Linux.
Quick flow
- Select an authentication model in Step 1: Set up the authentication model.
- Create a key vault and key in Step 2: Create a key vault.
- Install the connector in Step 3: Install the SQL Server Connector.
- Configure the registry prerequisite in Step 4: Add registry key to support EKM provider.
- Configure SQL Server and validate encryption in Step 5: Configure SQL Server.
Step 1: Set up the authentication model
Important
Choose your authentication model before you continue:
- Use the Service principal tab for SQL Server on-premises.
- Use the Managed identity tab for SQL Server on Azure VMs or SQL Server enabled by Azure Arc, where managed identity is supported.
Authentication model support matrix:
| Authentication model | SQL Server version | Where SQL Server runs | Supported |
|---|---|---|---|
| Service principal | Supported versions covered by this article | On-premises, Azure VM, SQL Server enabled by Azure Arc | Yes |
| Managed identity | SQL Server 2022 CU17 and later | Azure VM | Yes |
| Managed identity | SQL Server 2025 and later | SQL Server enabled by Azure Arc | Yes |
| Managed identity | Any | On-premises | No |
To grant your SQL Server instance access permissions to your Azure key vault, you need a service principal account in Microsoft Entra ID.
Sign in to the Azure portal, and do either of the following steps:
Select the Microsoft Entra ID button.
Select More services and then, in the All services pane, type Microsoft Entra ID.
Register an application with Microsoft Entra ID by doing the following steps. For detailed step-by-step instructions, see the Get an identity for the application section of the Azure Key Vault blog post, Azure Key Vault – Step by Step.
On the Manage section of your Microsoft Entra ID resource, select App registrations.
On the App registrations page, select New registration.
On the Register an application pane, enter the user-facing name for the app, and then select Register.
In the left pane, select Certificates & secrets > Client secrets > New client secret.
Under Add a client secret, enter a description and an appropriate expiration, and then select Add. You can't choose an expiration period greater than 24 months. For more information, see Add a client secret.
On the Certificates & secrets pane, under Value, select the Copy button next to the value of the client secret to use it to create an asymmetric key in SQL Server.
In the left pane, select Overview and then, in the Application (client) ID box, copy the value to use it to create an asymmetric key in SQL Server.
Step 2: Create a key vault
Select the method you want to use to create a key vault.
Note
Only Azure Key Vault and Azure Key Vault Managed HSM are supported. Azure Cloud HSM isn't supported.
Create a key vault by using the Azure portal
To create a key vault by using the Azure portal, see Quickstart: Create a key vault using the Azure portal.
Azure role-based access control
Use Azure role-based access control (RBAC) to manage access to the Azure Key Vault. Don't use legacy access policies. Legacy access policies have known security vulnerabilities, lack support for Privileged Identity Management (PIM), and shouldn't be used for critical data and workloads. For more information on Azure Key Vault RBAC permissions, see Azure built-in roles for Key Vault data plane operations.
Go to the key vault resource that you created, and select the Access control (IAM) setting.
Select Add > Add role assignment.
The EKM application or managed identity needs the Key Vault Crypto Service Encryption User role to perform wrap and unwrap operations. Search for Key Vault Crypto Service Encryption User and select the role. Select Next.
In the Members tab, select the Select members option, and then search for the Microsoft Entra application or managed identity that you created in Step 1. Select the application or managed identity and then the Select button.
Select Review + assign twice to complete the role assignment.
Create a key
The user creating the key needs the Key Vault Administrator role. Just like the previous steps, add the member creating the key and assign the role.
On the Key Vault pane, select Keys and then select the option Generate/Import. This action opens the Create a key pane. Select the Generate option, and enter a name for the key. The SQL Server Connector requires the key name to only use the characters "a-z", "A-Z", "0-9", and "-", with a 26-character limit.
Use key type RSA and RSA key size as 2048. EKM currently only supports an RSA key. Set activation and expiration dates as appropriate and set Enabled as Yes.
Configure an Azure Key Vault Managed HSM (optional)
Azure Key Vault Managed HSM (Hardware Security Module) supports SQL Server and SQL Server on Azure Virtual Machines (VMs) when you use the latest version of the SQL Server Connector, and Azure SQL. Managed HSM is a fully managed, highly available, single-tenant HSM service. Managed HSM provides a secure foundation for cryptographic operations and key storage. Managed HSM is designed to meet the most stringent security and compliance requirements.
Step 2 shows how to create a key vault and key in Azure Key Vault. You can optionally use an Azure Key Vault Managed HSM to store or create a key for the SQL Server Connector. Follow these steps:
Create an Azure Key Vault Managed HSM by using the Azure portal, the Azure CLI, PowerShell, or an ARM template.
Activate the Managed HSM. Only the designated administrators assigned during creation can activate it. In the Azure portal, select the Managed HSM resource, and then select Download Security Domain in the Overview menu. Follow one of the quickstarts to activate your Managed HSM.
Grant permissions for the Microsoft Entra service principal or managed identity to access the Managed HSM. The Managed HSM Administrator role doesn't give permissions to create a key. Similar to step 2, the EKM application or managed identity needs the Managed HSM Crypto User or Managed HSM Crypto Service Encryption User role to perform wrap and unwrap operations. For more information, see Local RBAC built-in roles for Managed HSM.
In the Azure Key Vault Managed HSM service menu, under Setting, select Keys. In the Keys window, select Generate/Import/Restore Backup to create a key or import an existing key.
Note
Algorithms RSA-HSM_2048 and RSA-HSM_3072 are supported starting in SQL Server 2022 (16.x) Cumulative Update 13.
Azure Key Vault Managed HSM supports automatic key rotation. For more information, see Configure key auto-rotation in Azure Managed HSM.
Managed HSM supports private endpoint connections. For more information, see Integrate Managed HSM with Azure Private Link. In this configuration, you must enable the Microsoft trusted service bypass option in the Azure Key Vault Managed HSM Networking setting.
Step 3: Install the SQL Server Connector
Have a SQL Server administrator download the latest version of the SQL Server Connector for Microsoft Azure Key Vault from the Microsoft Download Center and run the installer.
By default, the Connector is installed at C:\Program Files\SQL Server Connector for Microsoft Azure Key Vault. You can change this location during setup. If you change it, adjust the scripts in the next section.
A successful installation places Microsoft.AzureKeyVaultService.EKM.dll on the machine. This assembly is the cryptographic EKM provider DLL. Register it with SQL Server by using the CREATE CRYPTOGRAPHIC PROVIDER statement.
The installer also offers sample scripts for SQL Server encryption.
For error code explanations, configuration settings, or maintenance tasks, see:
- Maintenance instructions for the SQL Server Connector
- Error code explanations for the SQL Server Connector
Step 4: Add registry key to support EKM provider
Warning
Only a SQL Server administrator who knows exactly what they're doing should modify the registry. Incorrect changes can cause serious problems. Back up the registry before making any changes so you can restore it if a problem occurs.
Run regedit to open the Registry Editor.
Create a
SQL Server Cryptographic Providerregistry key atHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQL Server Cryptographic Provider.Right-click the
SQL Server Cryptographic Providerregistry key, and then select Permissions.Grant Full Control on the
SQL Server Cryptographic Providerkey to the user account running the SQL Server service.
Select Apply and then OK.
Close Registry Editor and restart the SQL Server service.
Note
If you use TDE with EKM or Azure Key Vault on a failover cluster instance, also add
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQL Server Cryptographic Providerto the Cluster Registry Checkpoint routine so the registry syncs across nodes, which facilitates database recovery after failover and key rotation.Run the following PowerShell command to add the registry key to the checkpoint routine:
Add-ClusterCheckpoint -RegistryCheckpoint "SOFTWARE\Microsoft\SQL Server Cryptographic Provider" -Resourcename "SQL Server"
Step 5: Configure SQL Server
For a note about the minimum permission levels needed for each action in this section, see B. Frequently Asked Questions.
Phase 1: Configure cryptographic provider and credentials in master
Choose your authentication model and follow the matching steps.
Run sqlcmd or open SQL Server Management Studio.
Configure SQL Server to use EKM by running the following Transact-SQL script:
-- Enable advanced options. USE master; GO EXEC sp_configure 'show advanced options', 1; GO RECONFIGURE; GO -- Enable EKM provider EXEC sp_configure 'EKM provider enabled', 1; GO RECONFIGURE;Register the SQL Server Connector as an EKM provider with SQL Server.
Create a cryptographic provider by using the SQL Server Connector, which is an EKM provider for the Azure Key Vault. In this example, the provider name is
AzureKeyVault_EKM.CREATE CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM FROM FILE = 'C:\Program Files\SQL Server Connector for Microsoft Azure Key Vault\Microsoft.AzureKeyVaultService.EKM.dll'; GONote
The file path length can't exceed 256 characters.
Set up a SQL Server credential for a SQL Server login to use the key vault.
Add a credential to each login that performs encryption by using a key from the key vault. There's a one-to-one mapping between credentials and logins - each login must have a unique credential.
Modify this Transact-SQL script in the following ways:
Edit the
IDENTITYargument (DocsSampleEKMKeyVault) to point to your Azure Key Vault.- If you're using global Azure, replace the
IDENTITYargument with the name of your Azure Key Vault from Step 2: Create a key vault. - If you're using a private Azure cloud (for example, Azure Government, Microsoft Azure operated by 21Vianet, or Azure Germany), replace the
IDENTITYargument with the Vault URI returned in Create a key vault and key by using PowerShell. Don't includehttps://in the key vault URI.
- If you're using global Azure, replace the
Replace the first part of the
SECRETargument with the Microsoft Entra Client ID from Step 1: Set up the authentication model. In this example, the Client ID isd956f6b9xxxxxxx.Important
Remove the hyphens from the App (Client) ID.
Complete the second part of the
SECRETargument with the Client Secret from Step 1. The final string is a long sequence of letters and numbers without hyphens (except for any hyphens in the Client Secret itself).
USE master; CREATE CREDENTIAL sysadmin_ekm_cred -- Set IDENTITY to the vault name (public Azure) or full vault hostname without https:// (sovereign clouds / Managed HSM) -- See https://dotnet.territoriali.olinfo.it/azure/key-vault/general/about-keys-secrets-certificates#dns-suffixes-for-base-url WITH IDENTITY = 'DocsSampleEKMKeyVault', --<----Application (Client) ID ---><--Microsoft Entra app (Client) ID secret--> SECRET = 'd956f6b9xxxxxxxyrA8X~PldtMCvUZPxxxxxxxx' FOR CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM; -- Add the credential to the SQL Server administrator's domain login ALTER LOGIN [<domain>\<login>] ADD CREDENTIAL sysadmin_ekm_cred;For an example of using variables and programmatically removing hyphens from the Client ID, see CREATE CREDENTIAL.
Open the Azure Key Vault key in your SQL Server instance.
Whether you created a new key or imported an asymmetric key in Step 2: Create a key vault, open the key in SQL Server by using
CREATE ASYMMETRIC KEY.Important
Complete the registry prerequisites before you perform this step.
In the following examples:
- Replace
EKMSampleASYKeywith the name that you want to use in SQL Server. - Replace
ContosoRSAKey0with your key name in Azure Key Vault or Managed HSM.
Use a versionless key name (recommended for most scenarios):
CREATE ASYMMETRIC KEY EKMSampleASYKey FROM PROVIDER [AzureKeyVault_EKM] WITH PROVIDER_KEY_NAME = 'ContosoRSAKey0', CREATION_DISPOSITION = OPEN_EXISTING;Use a specific key version when you need to pin operations to one version:
CREATE ASYMMETRIC KEY EKMSampleASYKey FROM PROVIDER [AzureKeyVault_EKM] WITH PROVIDER_KEY_NAME = 'ContosoRSAKey0/1a4d3b9b393c4678831ccc60def75379', CREATION_DISPOSITION = OPEN_EXISTING;In this example,
1a4d3b9b393c4678831ccc60def75379is the specific key version that SQL Server uses for database operations.- Replace
Create a new login by using the asymmetric key in SQL Server that you created in the preceding step.
-- Create a login that associates the asymmetric key with this login CREATE LOGIN TDE_Login FROM ASYMMETRIC KEY EKMSampleASYKey;Move the credential mapping from the original administrator login to the login created from the asymmetric key.
SQL Server uses the login created from the asymmetric key (
TDE_Login) for EKM operations. To ensure SQL Server can access Azure Key Vault during encryption and recovery operations, map the credential toTDE_Logininstead of the original setup login.-- Remove the service principal credential from the original setup login ALTER LOGIN [<domain>\<login>] DROP CREDENTIAL sysadmin_ekm_cred; -- Map the service principal credential to the login created from the asymmetric key ALTER LOGIN TDE_Login ADD CREDENTIAL sysadmin_ekm_cred;
Phase 2: Encrypt and validate the user database
Configure the user database to be encrypted
Create a test database to encrypt by using the Azure Key Vault key.
-- Create a test database for the TDE example. CREATE DATABASE TestTDE;Create a database encryption key by using the server asymmetric key (
EKMSampleASYKey).USE TestTDE; -- Create a DEK protected by the EKM asymmetric key. CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER ASYMMETRIC KEY EKMSampleASYKey;Enable TDE on the database by setting
ENCRYPTION ON.-- Enable TDE for the database. ALTER DATABASE TestTDE SET ENCRYPTION ON;
Verify key usage and encryption state
In the
masterdatabase, execute the following Transact-SQL query to verify that the EKM asymmetric key exists and capture its thumbprint.SELECT name, algorithm_desc, thumbprint FROM sys.asymmetric_keys;The statement returns output similar to the following:
name algorithm_desc thumbprint EKMSampleASYKey RSA_2048 <key thumbprint>In the user database (
TestTDE), execute the following Transact-SQL query to verify that TDE is enabled and that the database encryption key is protected by an asymmetric key.SELECT encryptor_type, encryption_state_desc, encryptor_thumbprint FROM sys.dm_database_encryption_keys WHERE database_id = DB_ID('TestTDE');The statement returns output similar to the following:
encryptor_type encryption_state_desc encryptor_thumbprint ASYMMETRIC KEY ENCRYPTED <key thumbprint>Confirm that
encryptor_thumbprintmatches the thumbprint returned fromsys.asymmetric_keys. A mismatch usually indicates that the database encryption key is protected by a different key than expected.
Clean up
Use the cleanup steps that match the authentication model you configured.
Clean up the test objects you created in this procedure.
-- CLEAN UP: shared objects + service principal credential USE master; GO ALTER DATABASE [TestTDE] SET SINGLE_USER WITH ROLLBACK IMMEDIATE; DROP DATABASE [TestTDE]; GO DROP LOGIN [TDE_Login]; GO DROP ASYMMETRIC KEY [EKMSampleASYKey]; DROP CRYPTOGRAPHIC PROVIDER [AzureKeyVault_EKM]; GO DROP CREDENTIAL [sysadmin_ekm_cred]; GOReview whether you should remove the
SQL Server Cryptographic Providerregistry key.Important
The
SQL Server Cryptographic Providerregistry key isn't removed automatically after you delete EKM keys.Delete this registry key only when you no longer need EKM on the instance. Deleting it too early can break EKM functionality and recovery operations.
Registry path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQL Server Cryptographic Provider
Rotate asymmetric keys for TDE with Azure Key Vault
Use a dedicated operational guide for key rotation steps, including authentication-specific scripts, verification, and safety checks:
Important
Don't delete previous versions of the key after rotation. Earlier versions might still be required for restoring older backups, log files, and recovery artifacts.