This is Part: AP3 (Azure Portal) of a 4-part blog series:
This blog in the series provides the step-by-step instructions to create an Azure Key Vault using the Azure Portal.
To grant SQL Server access permissions to your Azure Key Vault, you will need a Service Principal account in Azure Active Directory (AAD) (created in Part: AP2). The Azure Portal can be used to create the Key Vault and add an Azure Active Directory Principal to the Key Vault.
a) Optionally: You may use an existing Resource Group as well.
a) Step 1: Select your subscription
b) Step 2: Name a new Resource Group (or select an existing Resource Group)
c) Step 3: Select the Region
a) Step 1: Select your subscription
b) Step 2: Name a new Resource Group (or select an existing Resource Group)
c) Step 3: Enter a Key Vault Name (26-character limit)
d) Step 4: Select the Region
e) Step 5: Select Pricing Tier: OK to default
f) Step 6: Select Soft delete: OK to default (Key Vault's soft-delete feature allows recovery of the deleted vaults and vault objects)
g) Step 7: Enter Retention Period (days): OK to default (or set as appropriate for your needs)
h) Step 8: Select Purge protection: OK to default (or set as appropriate for your needs. Purge protection can only be enabled once soft-delete is enabled. When purge protection is on, a vault or an object in the deleted state cannot be purged until the retention period has passed).
a) Step 1: Select “Access policies” node
b) Step 2: Click on “+Add Access Policy”
a) Step 1: Configure from template: Select dropdown = “Key Management”
b) Step 2: Select permissions in dropdown(Get, List, Unwrap Key, Wrap Key)
c) Step 3: Click “Add”
a) Step 1: Click Select principal (to bring up the Principal dialog)
b) Step 2: Search for the same Azure Active Directory Application you registered in the previous blog (SQL Server TDE EKM Using Azure Key Vault – Part:2AP).
c) Step 3: Once the Principal appears, select the Principal
d) Step 4: Click the “Select” button to accept
e) Step 5: Click the “Add” button
8. Add a Key to the Key Vault.
a) Under Settings select Keys
b) click "+ Generate/Import"
c) Enter a name (example: ConstosoKeyVaultRSAKey)
d) Use default: Key Type: RSA
e) Use default RSA Key Size: 2048 (do not use 3072 or 4096)
f) Optionally set activation date (leave unchecked for immediate activation)
g) Optionally set expiration date (leave unchecked for no expiration date)
h) Use default: Enabled"
i) Click "Create" button.
Configuring Azure Key Vault is the third step in configuring SQL Server TDE to use Azure Key Vault. Continue the setup process for SQL Server using SSMS or SQLCMD.
See you at the next blog (Part: 4)
Adrian
SQL Server Transparent Data Encryption and Extensible Key Management Using Azure Key Vault – Intro | |
SQL Server Connector for Microsoft Azure Key Vault (aka: SQL Server Connector) – Part: 1 |
|
Azure Portal Method |
PowerShell Method |
Set up an Azure Active Directory Service Principal – Part: AP2 |
Setup Azure Active Directory Service Principal and Azure Key Vault (one script) – Part: PS2 This script combines Part: AP2 & Part:AP3 |
Create an Azure Key Vault – Part: AP3 (this document) |
|
Configure SQL Server TDE EKM using AKV – Part: 4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.