| title | description | author | ms.author | ms.reviewer | ms.date | ms.service | ms.subservice | ms.topic | tags |
|---|---|---|---|---|---|---|---|---|---|
Integrate Key Vault with SQL Server on Windows VMs in Azure (Resource Manager) |
Learn how to automate the configuration of SQL Server encryption for use with Azure Key Vault. This topic explains how to use Azure Key Vault Integration with SQL virtual machines created with Resource Manager. |
adbadram |
adbadram |
mathoma |
02/10/2022 |
virtual-machines-sql |
security |
how-to |
azure-service-management |
Configure Azure Key Vault integration for SQL Server on Azure VMs (Resource Manager)
[!INCLUDEappliesto-sqlvm]
There are multiple SQL Server encryption features, such as transparent data encryption (TDE), column level encryption (CLE), and backup encryption. These forms of encryption require you to manage and store the cryptographic keys you use for encryption. The Azure Key Vault service is designed to improve the security and management of these keys in a secure and highly available location. The SQL Server Connector enables SQL Server to use these keys from Azure Key Vault.
If you are running SQL Server on-premises, there are steps you can follow to access Azure Key Vault from your on-premises SQL Server instance. But for SQL Server on Azure VMs, you can save time by using the Azure Key Vault Integration feature.
[!NOTE] The Azure Key Vault integration is available only for the Enterprise, Developer, and Evaluation Editions of SQL Server. Starting with SQL Server 2019, Standard edition is also supported.
When this feature is enabled, it automatically installs the SQL Server Connector, configures the EKM provider to access Azure Key Vault, and creates the credential to allow you to access your vault. If you looked at the steps in the previously mentioned on-premises documentation, you can see that this feature automates steps 2 and 3. The only thing you would still need to do manually is to create the key vault and keys. From there, the entire setup of your SQL Server VM is automated. Once this feature has completed this setup, you can execute Transact-SQL (T-SQL) statements to begin encrypting your databases or backups as you normally would.
[!NOTE] You can also configure Key Vault integration by using a template. For more information, see Azure quickstart template for Azure Key Vault integration.
[!INCLUDE Prepare for Key Vault integration]
[!NOTE] Extensible Key Management (EKM) Provider version 1.0.4.0 is installed on the SQL Server VM through the SQL infrastructure as a service (IaaS) extension. Upgrading the SQL IaaS Agent extension will not update the provider version. Please considering manually upgrading the EKM provider version if needed (for example, when migrating to a SQL Managed Instance).
Enable and configure Key Vault integration
You can enable Key Vault integration during provisioning or configure it for existing VMs.
New VMs
If you are provisioning a new SQL virtual machine with Resource Manager, the Azure portal provides a way to enable Azure Key Vault integration.
For a detailed walkthrough of provisioning, see Provision a SQL virtual machine in the Azure portal.
Existing VMs
For existing SQL virtual machines, open your SQL virtual machines resource and select Security under Settings. Select Enable to enable Azure Key Vault integration.
The following screenshot shows how to enable Azure Key Vault in the portal for an existing SQL Server VM (this SQL Server instance uses a non-default port 1401):
When you're finished, select the Apply button on the bottom of the Security page to save your changes.
[!NOTE] The credential name we created here will be mapped to a SQL login later. This allows the SQL login to access the key vault.
[!INCLUDE Key Vault integration next steps]
Next steps
For more security information, review Security considerations for SQL Server on Azure VMs.