I have stuck on this issue quite a while. I really appreciate anyone can give me some help.
I have a task to enable SQL Server database encryption with an Azure Key Vault. I follow the steps described in [Set up SQL Server TDE Extensible Key Management by using Azure Key Vault]
More details as following
1. In my Azure portal, I created a Key Vault, named DB-Encryption-POC
2. In the Key vault I created a RSA 2048 Key named DBEncryptionKey1
3. In Active Directory I registered an App named test-keyvault
4. In Key Vault DB-Encryption-POC, I added a Key management Access policy with all permissions and set the service principal as test-keyvault. I believe this will hook my app test-keyvault with the access permissions
5. In the App test-keyvault, I created a secret, test-secret
6. Installed and setup SQL Server Connect for Azure Key Vault 1.0.5.0
7. Created the regkey SQL Server.Cryptographic Provider with full permissions to SQL Service login.
Now I switch to SQL Server Manager. After install and setup SQL Server Connector, I run the following
USEmaster;
CREATECREDENTIAL sysadmin_ekm_cred
WITHIDENTITY='DB-Encryption-POC', -- My Key Vault name
SECRET=‘<app clientId><secretId>'
FORCRYPTOGRAPHICPROVIDER AzureKeyVault_EKM_Prov; -- already point to the SQL Connector ddl
-- Add the credential to the SQL Server administrator's domain login
ALTERLOGIN sa
ADDCREDENTIAL sysadmin_ekm_cred;
-- Open Azure Key Vault key in SQL Server
CREATEASYMMETRICKEY My_KEY
FROMPROVIDER [AzureKeyVault_EKM_Prov]
WITH PROVIDER_KEY_NAME='EncryptionDBKey1',
CREATION_DISPOSITION= OPEN_EXISTING;
The last statement gives me following error
Msg 33049, Level 16, State 2, Line 43
Key with name 'EncryptionDBKey1' does not exist in the provider or access is denied. Provider error code: 3113. (Provider Error - No explanation is available, consult EKM Provider for details)
Completion time: 2020-07-02T16:10:16.4359940-05:00