First published on MSDN on Jun 13, 2016
Starting today, the SQL Server Connector for Azure Key Vault is Generally Available!
The SQL Server Connector is an Extensible Key Management (EKM) Provider that enables SQL Server to use Azure Key Vault as a place to protect and manage SQL encryption keys. This means that you can use your own encryption keys for SQL Server encryption and protect them in Azure Key Vault. With Azure Key Vault, you can benefit from having a separate central cloud-based key management system, the option to use hardware security modules (HSMs), and promotion of separation of duties by being able to separate key management from data management for additional security. The SQL Server Connector is available for Transparent Data Encryption (TDE), Column Level Encryption (CLE), and Backup Encryption.
When using these SQL encryption technologies, your data is encrypted with a symmetric key (called the database encryption key) stored in the database. Traditionally (without Azure Key Vault), a certificate that SQL Server manages would protect this data encryption key (DEK). With Azure Key Vault integration for SQL Server through the SQL Server Connector, you can protect the DEK with an asymmetric key that is stored in Azure Key Vault. This way, you can assume control over the key management, and have it be in a separate key management service outside of SQL Server.
The SQL Server Connector is especially useful for those using SQL Server-in-a-VM (IaaS) who want to leverage Azure Key Vault for managing their encryption keys. SQL IaaS is the simplest way to deploy and run SQL Server, and it is optimized for extending existing on-premises SQL Server applications to the cloud in a hybrid IaaS scenario, or supporting a migration scenario.
The following image illustrates one way an organization can use the SQL Server Connector. A SQL Server administrator would manage the data stored in the SQL Server instance while a security administrator manages key vaults and master keys that are used for SQL Server encryption, and an auditor can review key usage through audit logs.
The SQL Server Connector for Microsoft Azure Key Vault is available for all Enterprise versions of SQL IaaS and SQL Server starting with 2008/2008 R2 through the recently released version of 2016.
If you’re new to the SQL Server Connector, you can get started with the following: