Reputation: 1083
Always encrypted SQL Azure using Keyvault - Export CMK certificate
I am encrypting my SQL azure database using Always encrypted with KeyVault. What I see in Keyvault is, CMK is created in Keys section. Is it possible to construct a certificate from this? or where can I find this certificate of CMK?
Upvotes: 0
Views: 388
Answers (1)
Reputation: 596
In Azure Key Vault, you can create different types of objects: keys, secrets and certificates. Always Encrypted requires that column master keys, stored in Azure Key Vault, are Key Vault keys. SSMS creates a Key Vault key, when you choose to store the new column master key in a Key Vault. BTW, what SSMS does when creating a key is equivalent to calling Add-AzureKeyVaultKey.
Having said that, when a Key Vault certificate is created (e.g. via Add-AzureKeyVaultCertificate), an addressable key and secret are also created with the same name - see https://learn.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-certificates. And, you could use the key, associated with the certificate, as a column master key, if you want. However, I'm not aware of a practical benefit of doing that: an Always Encrypted -enabled client driver (e.g. ADO.NET) would not be even aware the key is associated with the certificate.
It might be useful if you can describe your business requirements and explain why you think you need a column master key to be a certificate.
Please, keep in mind that even when a column master key is a real certificate stored in Windows Certificate Store (not in Key Vault), Always Encrypted-enabled drivers only use the public key and the private key contained in the certificate, and they ignore everything else. In particular, the driver never validates the certificate expiration date, the CA chain or whether a certificate has been revoked. This is by design - master keys protect long-lived data and this approach ensures you will always be able to access the data, as long as you have the master key (e.g. if you create a database backup file, containing encrypted data, and restore a database from it several years later, you should be able to access your data).
Upvotes: 2
Related Questions
- How to generate ENCRYPTED_VALUE for CEK in SQL Server Always Encrypted
- SQL Always Encrypted in Azure
- Always, but Always, Encrypted Azure SQL Database, how to achieve
- Always Encrypted manually decrypt Column Encryption Key
- SSIS: Error from ODBC provider when inserting into Always Encrypted table using CMK in Azure Key Store
- SQL Always encrypted CMK certificate storage best practice
- Configure Always Encrypted for SQL Azure with KeyVault using C#/.NET
- Export always encrypted data from Azure SQL
- Always Encrypted SQL Server 2016 times out in Azure
- Always encrypted Behavior in SQL Server 2016