Clever Geek Handbook

Use SQL Server, always encrypted with SSIS and Azure Key Vault

Has anyone successfully used SSIS to pull and decrypt data from SQL Server that uses Always Encrypted with Azure Key Vault (not Windows Cert Store, which I know is possible)?

Since configuring Azure Key Vault access involves programmatically registering providers on SqlClient

, I was wondering:

The SSIS Script task share the same application domain / context as the subsequent ADO.NET data flow tasks, since it will have to go to providers SqlClient

, configure as follows:

var provs = new Dictionary<string, SqlColumnEncryptionKeyStoreProvider>();
provs.Add(SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider);
SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers);

Also, Script Tasks are .NET 4.5 by default, but Always Encrypted features are only available in 4.6.1. When I try to install the framework in the Script editor, it always gets reset to 4.5 when I reopen the project.

I was hoping to find an example as setting this up involves registering Key Vault and all build assemblies in the GAC.

UPDATE May 5, 2017 Thanks to @Josh G, I was able to get this 95% working with the ODBC driver.

In my ODBC source, I can now see unencrypted data when I select Preview, however, after running the package, I get the following errors:

Error: 0x384 at broker, ODBC source [12]: Opening a database connection (ODBC). state: "CE202". Error code: 0. [Microsoft] [ODBC Driver 13 for SQL Server] [SQL Server] Keystore provider AZURE_KEY_VAULT failed to decrypt ECEK https://keyvault.vault.azure.net:443/keys/CMKAuto1/mykey with RSA_OAEP.

Error: 0x384 Broker, ODBC Source [12]: Open Database A connection error (ODBC) occurred. state: "CE269". Source Error Code: 0. [Microsoft] [ODBC Driver 13 for SQL Server] [SQL Server] Error 12038 sending request to https://mykeyvault.vault.azure.net:443 Error: 0x384 at broker, ODBC source [12] : open a database connection (ODBC). Condition: "CE263". Error code: 0. [Microsoft] [ODBC Driver 13 for SQL Server] [SQL Server] Failed to validate ECEK signature.

+3


source to share


1 answer


The short answer to this question is that it is possible to support the requested scenario if you are using an ODBC driver to connect to a database with encrypted information. ODBC driver allows you to specify AKV credentials in the connection string that the driver uses to connect to AKV and perform encryption / decryption operations with SQL.



Best, Josh

+2


source






More articles:


All Articles