About Me

My photo
I am an MCSE in Data Management and Analytics, specializing in MS SQL Server, and an MCP in Azure. With over 19+ years of experience in the IT industry, I bring expertise in data management, Azure Cloud, Data Center Migration, Infrastructure Architecture planning, as well as Virtualization and automation. I have a deep passion for driving innovation through infrastructure automation, particularly using Terraform for efficient provisioning. If you're looking for guidance on automating your infrastructure or have questions about Azure, SQL Server, or cloud migration, feel free to reach out. I often write to capture my own experiences and insights for future reference, but I hope that sharing these experiences through my blog will help others on their journey as well. Thank you for reading!

How to Configure Azure Key Vault Integration for SQL Server on Azure Virtual Machines.

How to Configure Azure Key Vault Integration for SQL Server on Azure Virtual Machines.







/* Enable extensible key Management  */

sp_configure 'EKM provider enabled',1,1
go
reconfigure with override
go



--CREATE CREDENTIAL sysadmin_ekm_cred
--WITH IDENTITY = 'Punamvault', --keyvault Name
--SECRET = '7d4bb83a2dfb4ef2a8e59363ed17c221raksqlvm1backuppassword'
--FOR CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM_Prov;
--go

USE [master]
GO

CREATE LOGIN [sql_login] WITH PASSWORD=N'password@123', DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=ON, CHECK_POLICY=ON
GO

ALTER LOGIN [sql_login] DISABLE
GO

ALTER SERVER ROLE [sysadmin] ADD MEMBER [sql_login]
GO


/* Alter the login to add credentials */








/*download SQL Server Connector for Microsoft Azure Key Vault from download center */

CREATE CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM_Prov
FROM FILE = 'C:\Program Files\SQL Server Connector for Microsoft Azure Key Vault\Microsoft.AzureKeyVaultService.EKM.dll';

/* Create a credentails - In identity put the Azure key vault Name and in secret =
secret = Application ID + Keyvalue for Application */

/*AzureKeyVault_EKM_Prov is nothing but a CRYPTOGRPAHIC Provider which we have created in previous step */

CREATE CREDENTIAL sysadmin_ekm_cred
WITH IDENTITY = 'Punamvault',
SECRET = '7d4bb83a2dfb4ef2a8e59363ed17c2211pf1Lkp7TwpqqMesJzZWAhSQoaZ180Ul+MZ4hwx5GV0='
FOR CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM_Prov

/* Attach SQL_Login with credential which i have created earlier */

ALTER LOGIN [SQL_Login]
ADD CREDENTIAL sysadmin_ekm_cred;

/* Create a ASYMMETRIC key */

CREATE ASYMMETRIC KEY sqlvm1key
FROM PROVIDER [AzureKeyVault_EKM_Prov]
WITH PROVIDER_KEY_NAME = 'sqlvm1key', -- here Provider name is key which i have created in the Azure key Vault
CREATION_DISPOSITION = OPEN_EXISTING

/* Check Key got created */

select * from sys.asymmetric_keys


/* Create credential for Azure key access */

CREATE CREDENTIAL [key01_ekm_cred]
WITH IDENTITY = 'Punamvault',
SECRET = '7d4bb83a2dfb4ef2a8e59363ed17c2211pf1Lkp7TwpqqMesJzZWAhSQoaZ180Ul+MZ4hwx5GV0='
FOR CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM_Prov
go

CREATE LOGIN [key01_ekm_login] FROM ASYMMETRIC KEY [sqlvm1key];
go
ALTER LOGIN [key01_ekm_login] ADD CREDENTIAL [key01_ekm_cred];
go

use [rakeshtdehkm]
go
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER ASYMMETRIC KEY [sqlvm1key]
GO
ALTER DATABASE [rakeshtdehkm] SET ENCRYPTION ON
go


USE master
go

BACKUP DATABASE [rakeshtdehkm]
TO DISK = N'C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Backup\rakeshtdehkm.bak'
WITH FORMAT, INIT, SKIP, NOREWIND, NOUNLOAD,
ENCRYPTION(ALGORITHM = AES_256, SERVER ASYMMETRIC KEY = [sqlvm1key]);
GO


Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)