// ****************************************** static void Main(string[] args) { // Initialize AKV provider var sqlColumnEncryptionAzureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(AzureActiveDirectoryAuthenticationCallback); // Register AKV provider SqlConnection.RegisterColumnEncryptionKeyStoreProviders(customProviders: new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(capacity: 1, comparer: StringComparer.OrdinalIgnoreCase) { { SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, sqlColumnEncryptionAzureKeyVaultProvider } }); Console.WriteLine("AKV provider Registered"); // Create connection to database using (SqlConnection sqlConnection = new SqlConnection(s_connectionString)) { var cmkName = "CMK_WITH_AKV"; var cekName = "CEK_WITH_AKV"; var tblName = "AKV_TEST_TABLE"; var customer = new CustomerRecord(1, @"Microsoft", @"Corporation"); try { sqlConnection.Open(); // Drop Objects if exists dropObjects(sqlConnection, cmkName, cekName, tblName); // Create Column Master Key with AKV Url createCMK(sqlConnection, cmkName, sqlColumnEncryptionAzureKeyVaultProvider); Console.WriteLine("Column Master Key created."); // Create Column Encryption Key createCEK(sqlConnection, cmkName, cekName, sqlColumnEncryptionAzureKeyVaultProvider); Console.WriteLine("Column Encryption Key created."); // Create Table with Encrypted Columns createTbl(sqlConnection, cekName, tblName); Console.WriteLine("Table created with Encrypted columns."); // Insert Customer Record in table insertData(sqlConnection, tblName, customer); Console.WriteLine("Encryted data inserted."); // Read data from table verifyData(sqlConnection, tblName, customer); Console.WriteLine("Data validated successfully."); } finally { // Drop table and keys dropObjects(sqlConnection, cmkName, cekName, tblName); Console.WriteLine("Dropped Table, CEK and CMK"); } Console.WriteLine("Completed AKV provider Sample."); Console.ReadKey(); } }
// Initialize the Azure Key Vault provider for Always Encrypted. Required if column master keys are stored in Azure Key Vault. private void InitializeAzureKeyVaultProvider() { TokenCredential tokenCredential = null; SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(Configuration.GetConnectionString("ContosoHRDatabase")); if (builder.Authentication == SqlAuthenticationMethod.ActiveDirectoryManagedIdentity) { // If the application uses a managed identity to talk to Azure SQL Database, use the managed identity for Azure Key Vault too. tokenCredential = new ManagedIdentityCredential(); } else { // Assume a managed identity is not available to the app. Instead, use a client id/secret to authenticate to Azure Key Vault. // Fetch client id, secret, tenant id from the configuration. // It is recommended you specify these parameters in secrets.json. // See https://docs.microsoft.com/aspnet/core/security/app-secrets?view=aspnetcore-5.0&tabs=windows on how store secrets in secrets.json. var clientId = Configuration["ClientId"]; var secret = Configuration["Secret"]; var tenantId = Configuration["TenantId"]; tokenCredential = new ClientSecretCredential(tenantId, clientId, secret); } SqlColumnEncryptionAzureKeyVaultProvider sqlColumnEncryptionAzureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(tokenCredential); SqlConnection.RegisterColumnEncryptionKeyStoreProviders( customProviders: new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(capacity: 1, comparer: StringComparer.OrdinalIgnoreCase) { { SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, sqlColumnEncryptionAzureKeyVaultProvider } } ); }
async protected void Application_Start() { AreaRegistration.RegisterAllAreas(); GlobalConfiguration.Configure(WebApiConfig.Register); FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters); RouteConfig.RegisterRoutes(RouteTable.Routes); BundleConfig.RegisterBundles(BundleTable.Bundles); HttpConfiguration config = GlobalConfiguration.Configuration; config.Formatters.JsonFormatter.SerializerSettings.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore; //Adds the Azure Key Vault Provider to ensure the column is unencrypted when queryed upon //Reference: https://blogs.msdn.microsoft.com/sqlsecurity/2015/11/10/using-the-azure-key-vault-key-store-provider-for-always-encrypted/ SqlColumnEncryptionAzureKeyVaultProvider azureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(Util.GetToken); Dictionary <string, SqlColumnEncryptionKeyStoreProvider> providers = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(); providers.Add(SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider); SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers); //Get an access token for the Key Vault to get the secret out... var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(Util.GetToken)); var sec = await kv.GetSecretAsync(WebConfigurationManager.AppSettings["SecretUri"]); //ensure that the connect string has the "Column Encryption Setting=Enabled" in it! Util.EncryptSecret = sec.Value; }
static void Main() { Dictionary <string, SqlColumnEncryptionKeyStoreProvider> customKeyStoreProviders = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(); MyCustomKeyStoreProvider firstProvider = new MyCustomKeyStoreProvider(); customKeyStoreProviders.Add("FIRST_CUSTOM_STORE", firstProvider); // Registers the provider globally SqlConnection.RegisterColumnEncryptionKeyStoreProviders(customKeyStoreProviders); using (SqlConnection connection = new SqlConnection(connectionString)) { customKeyStoreProviders.Clear(); MyCustomKeyStoreProvider secondProvider = new MyCustomKeyStoreProvider(); customKeyStoreProviders.Add("SECOND_CUSTOM_STORE", secondProvider); // Registers the provider on the connection connection.RegisterColumnEncryptionKeyStoreProvidersOnConnection(customKeyStoreProviders); using (SqlCommand command = connection.CreateCommand()) { customKeyStoreProviders.Clear(); SqlColumnEncryptionAzureKeyVaultProvider azureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(); customKeyStoreProviders.Add(SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider); // Registers the provider on the command // These providers will take precedence over connection-level providers and globally registered providers command.RegisterColumnEncryptionKeyStoreProvidersOnCommand(customKeyStoreProviders); } } }
private void InitializeAzureKeyVaultProvider() { // Initialize the Azure Key Vault provider TokenCredential tokenCredential = null; SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(Configuration.GetConnectionString("ContosoHRDatabase")); if (builder.Authentication == SqlAuthenticationMethod.ActiveDirectoryManagedIdentity) { tokenCredential = new ManagedIdentityCredential(); } else { var clientId = "..."; var secret = "..."; var tenantId = "..."; tokenCredential = new ClientSecretCredential(tenantId, clientId, secret); } SqlColumnEncryptionAzureKeyVaultProvider sqlColumnEncryptionAzureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(tokenCredential); SqlConnection.RegisterColumnEncryptionKeyStoreProviders( customProviders: new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(capacity: 1, comparer: StringComparer.OrdinalIgnoreCase) { { SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, sqlColumnEncryptionAzureKeyVaultProvider } } ); }
// ****************************************** static void Main(string[] args) { // Initialize AKV provider SqlColumnEncryptionAzureKeyVaultProvider sqlColumnEncryptionAzureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(AzureActiveDirectoryAuthenticationCallback, s_trustedEndPoint); // Register AKV provider SqlConnection.RegisterColumnEncryptionKeyStoreProviders(customProviders: new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(capacity: 1, comparer: StringComparer.OrdinalIgnoreCase) { { SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, sqlColumnEncryptionAzureKeyVaultProvider } }); Console.WriteLine("AKV provider Registered"); // Create connection to database using (SqlConnection sqlConnection = new SqlConnection(s_connectionString)) { string cmkName = "CMK_WITH_AKV"; string cekName = "CEK_WITH_AKV"; string tblName = "AKV_TEST_TABLE"; sqlConnection.Open(); // Create Column Master Key with AKV Url createCMK(sqlConnection, cmkName, sqlColumnEncryptionAzureKeyVaultProvider); Console.WriteLine("Column Master Key created."); // Create Column Encryption Key createCEK(sqlConnection, cmkName, cekName, sqlColumnEncryptionAzureKeyVaultProvider); Console.WriteLine("Column Encryption Key created."); // Create Table with Encrypted Columns createTbl(sqlConnection, cekName, tblName); Console.WriteLine("Table created with Encrypted columns."); } }
public static void ReturnSpecifiedVersionOfKeyWhenItIsNotTheMostRecentVersion() { Uri keyPathUri = new Uri(DataTestUtility.AKVOriginalUrl); Uri vaultUri = new Uri(keyPathUri.GetLeftPart(UriPartial.Authority)); //If key version is not specified then we cannot test. if (KeyIsVersioned(keyPathUri)) { string keyName = keyPathUri.Segments[2]; string keyVersion = keyPathUri.Segments[3]; ClientSecretCredential clientSecretCredential = new ClientSecretCredential(DataTestUtility.AKVTenantId, DataTestUtility.AKVClientId, DataTestUtility.AKVClientSecret); KeyClient keyClient = new KeyClient(vaultUri, clientSecretCredential); KeyVaultKey currentVersionKey = keyClient.GetKey(keyName); KeyVaultKey specifiedVersionKey = keyClient.GetKey(keyName, keyVersion); //If specified versioned key is the most recent version of the key then we cannot test. if (!KeyIsLatestVersion(specifiedVersionKey, currentVersionKey)) { SqlColumnEncryptionAzureKeyVaultProvider azureKeyProvider = new SqlColumnEncryptionAzureKeyVaultProvider(clientSecretCredential); // Perform an operation to initialize the internal caches azureKeyProvider.EncryptColumnEncryptionKey(DataTestUtility.AKVOriginalUrl, EncryptionAlgorithm, s_columnEncryptionKey); PropertyInfo keyCryptographerProperty = azureKeyProvider.GetType().GetProperty("KeyCryptographer", BindingFlags.NonPublic | BindingFlags.Instance); var keyCryptographer = keyCryptographerProperty.GetValue(azureKeyProvider); MethodInfo getKeyMethod = keyCryptographer.GetType().GetMethod("GetKey", BindingFlags.NonPublic | BindingFlags.Instance); KeyVaultKey key = (KeyVaultKey)getKeyMethod.Invoke(keyCryptographer, new[] { DataTestUtility.AKVOriginalUrl }); Assert.Equal(keyVersion, key.Properties.Version); } } }
public static void InitializeSQLProviders() { SqlColumnEncryptionAzureKeyVaultProvider azureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(GetToken); var providers = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(); providers.Add(SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider); SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers); }
private static object GetCacheInstance(string cacheName, SqlColumnEncryptionAzureKeyVaultProvider akvProvider) { Assembly akvProviderAssembly = typeof(SqlColumnEncryptionAzureKeyVaultProvider).Assembly; Type akvProviderType = akvProviderAssembly.GetType( "Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.SqlColumnEncryptionAzureKeyVaultProvider"); FieldInfo cacheField = akvProviderType.GetField(cacheName, BindingFlags.Instance | BindingFlags.NonPublic); return(cacheField.GetValue(akvProvider)); }
private static bool CekCacheContainsKey(byte[] encryptedCek, SqlColumnEncryptionAzureKeyVaultProvider akvProvider) { var cacheInstance = GetCacheInstance("_columnEncryptionKeyCache", akvProvider); Type cacheType = cacheInstance.GetType(); MethodInfo containsMethod = cacheType.GetMethod("Contains", BindingFlags.Instance | BindingFlags.NonPublic); bool containsResult = (bool)containsMethod.Invoke(cacheInstance, new object[] { ToHexString(encryptedCek) }); return(containsResult); }
public SQLSetupStrategyAzureKeyVault() : base() { AkvStoreProvider = new SqlColumnEncryptionAzureKeyVaultProvider(new SqlClientCustomTokenCredential()); if (!IsAKVProviderRegistered) { RegisterGlobalProviders(AkvStoreProvider); } SetupDatabase(); }
private void RegisterAzureKeyVaultProvider() { SqlColumnEncryptionAzureKeyVaultProvider sqlColumnEncryptionAzureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(AzureActiveDirectoryAuthenticationCallback); SqlConnection.RegisterColumnEncryptionKeyStoreProviders(customProviders: new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(capacity: 1, comparer: StringComparer.OrdinalIgnoreCase) { { SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, sqlColumnEncryptionAzureKeyVaultProvider } }); }
private static int GetCacheCount(string cacheName, SqlColumnEncryptionAzureKeyVaultProvider akvProvider) { var cacheInstance = GetCacheInstance(cacheName, akvProvider); Type cacheType = cacheInstance.GetType(); PropertyInfo countProperty = cacheType.GetProperty("Count", BindingFlags.Instance | BindingFlags.NonPublic); int countValue = (int)countProperty.GetValue(cacheInstance); return(countValue); }
static void InitializeAzureKeyVaultProvider() { _clientCredential = new ClientCredential(clientId, clientSecret); SqlColumnEncryptionAzureKeyVaultProvider azureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(GetToken); Dictionary<string, SqlColumnEncryptionKeyStoreProvider> providers = new Dictionary<string, SqlColumnEncryptionKeyStoreProvider>(); providers.Add(SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider); SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers); }
public static void LegacyAuthenticationCallbackTest() { // SqlClientCustomTokenCredential implements legacy authentication callback to request access token at client-side. SqlColumnEncryptionAzureKeyVaultProvider akvProvider = new SqlColumnEncryptionAzureKeyVaultProvider(new SqlClientCustomTokenCredential()); byte[] encryptedCek = akvProvider.EncryptColumnEncryptionKey(DataTestUtility.AKVUrl, EncryptionAlgorithm, s_columnEncryptionKey); byte[] decryptedCek = akvProvider.DecryptColumnEncryptionKey(DataTestUtility.AKVUrl, EncryptionAlgorithm, encryptedCek); Assert.Equal(s_columnEncryptionKey, decryptedCek); }
public static void InitializeAzureKeyVaultProvider() { var azKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(GetToken); Dictionary <string, SqlColumnEncryptionKeyStoreProvider> providers = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider> { { SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azKeyVaultProvider } }; SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers); }
public static void TokenCredentialTest() { ClientSecretCredential clientSecretCredential = new ClientSecretCredential(DataTestUtility.AKVTenantId, DataTestUtility.AKVClientId, DataTestUtility.AKVClientSecret); SqlColumnEncryptionAzureKeyVaultProvider akvProvider = new SqlColumnEncryptionAzureKeyVaultProvider(clientSecretCredential); byte[] encryptedCek = akvProvider.EncryptColumnEncryptionKey(DataTestUtility.AKVUrl, EncryptionAlgorithm, s_columnEncryptionKey); byte[] decryptedCek = akvProvider.DecryptColumnEncryptionKey(DataTestUtility.AKVUrl, EncryptionAlgorithm, encryptedCek); Assert.Equal(s_columnEncryptionKey, decryptedCek); }
//////////////////////////////////////////////////////////// // Public Methods/Atributes //////////////////////////////////////////////////////////// /// <inheritdoc /> /// <summary> /// Register the provider with ADO.net /// </summary> public void Register() { var azureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(_keyVaultTokenProvider.GetTokenAsync); var providers = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider> { { SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider } }; // register the provider with ADO.net SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers); }
public void InvalidTrustedEndpoint(string trustedEndpoint) { Exception ex = Assert.Throws <ArgumentException>(() => { SqlColumnEncryptionAzureKeyVaultProvider azureKeyProvider = new SqlColumnEncryptionAzureKeyVaultProvider( new SqlClientCustomTokenCredential(), trustedEndpoint); }); Assert.Matches("One or more of the elements in trustedEndpoints are null or empty or consist of only whitespace.", ex.Message); }
/// <summary> /// Set up ADO to authenticate to Azure AD and retrieve the /// Column Master Key (CMK) from a Key Vault as set up in the /// App.Config. Then ADO will be able to use the CMK to decript /// read from the Key Vault to decrypt the column Encryption Key (CEK) /// that is an encrypted key stored in the database itself and returned /// to teh app with the query for which the CMK is the decryption key. /// Once ADO can unwrap the CEK by means of the CMK then it can use the /// decrypted CEK to decrypt the data read from the database and viceversa /// encrypt the data sent to it. /// </summary> private static void SetUpAdoNetEncryption() { var azEncryptionKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(GetAccessTokenAsync); var providers = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(); providers.Add(SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azEncryptionKeyVaultProvider); SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers); Console.WriteLine($"providers = {providers.Count}"); Console.WriteLine(); }
private static string GetEncryptedValue(SqlColumnEncryptionAzureKeyVaultProvider sqlColumnEncryptionAzureKeyVaultProvider) { byte[] plainTextColumnEncryptionKey = new byte[32]; RandomNumberGenerator rng = RandomNumberGenerator.Create(); rng.GetBytes(plainTextColumnEncryptionKey); byte[] encryptedColumnEncryptionKey = sqlColumnEncryptionAzureKeyVaultProvider.EncryptColumnEncryptionKey(s_akvUrl, s_algorithm, plainTextColumnEncryptionKey); string EncryptedValue = string.Concat("0x", BitConverter.ToString(encryptedColumnEncryptionKey).Replace("-", string.Empty)); return EncryptedValue; }
public static void ThrowWhenUrlHasLessThanThreeSegments() { SqlColumnEncryptionAzureKeyVaultProvider azureKeyProvider = new SqlColumnEncryptionAzureKeyVaultProvider(new SqlClientCustomTokenCredential()); string invalidKeyPath = "https://my-key-vault.vault.azure.net/keys"; Exception ex1 = Assert.Throws <ArgumentException>(() => azureKeyProvider.EncryptColumnEncryptionKey(invalidKeyPath, EncryptionAlgorithm, s_columnEncryptionKey)); Assert.Contains($"Invalid url specified: '{invalidKeyPath}'", ex1.Message); Exception ex2 = Assert.Throws <ArgumentException>(() => azureKeyProvider.DecryptColumnEncryptionKey(invalidKeyPath, EncryptionAlgorithm, s_columnEncryptionKey)); Assert.Contains($"Invalid url specified: '{invalidKeyPath}'", ex2.Message); }
static void InitializeAzureKeyVaultProvider(AzureServiceTokenProvider azureServiceTokenProvider) { var azureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); var providers = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider> { { SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider } }; SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers); }
private static string GetEncryptedValue(SqlColumnEncryptionAzureKeyVaultProvider sqlColumnEncryptionAzureKeyVaultProvider) { byte[] plainTextColumnEncryptionKey = new byte[32]; RNGCryptoServiceProvider rngCsp = new RNGCryptoServiceProvider(); rngCsp.GetBytes(plainTextColumnEncryptionKey); byte[] encryptedColumnEncryptionKey = sqlColumnEncryptionAzureKeyVaultProvider.EncryptColumnEncryptionKey(s_akvUrl, s_algorithm, plainTextColumnEncryptionKey); string EncryptedValue = string.Concat("0x", BitConverter.ToString(encryptedColumnEncryptionKey).Replace("-", string.Empty)); return(EncryptedValue); }
static void InitializeAzureKeyVaultProvider() { string clientId = CloudConfigurationManager.GetSetting("ida:ClientId"); string clientSecret = CloudConfigurationManager.GetSetting("ida:ClientSecret"); _clientCredential = new ClientCredential(clientId, clientSecret); SqlColumnEncryptionAzureKeyVaultProvider azureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(GetToken); Dictionary <string, SqlColumnEncryptionKeyStoreProvider> providers = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(); providers.Add(SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider); SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers); }
public void IsCompatibleWithProviderUsingLegacyClient() { AzureKeyVaultKeyStoreProvider newAkvProvider = new AzureKeyVaultKeyStoreProvider(new ClientSecretCredential(tenantId, clientId, clientSecret)); SqlColumnEncryptionAzureKeyVaultProvider oldAkvProvider = new SqlColumnEncryptionAzureKeyVaultProvider(AzureActiveDirectoryAuthenticationCallback); byte[] encryptedCekWithNewProvider = newAkvProvider.WrapKey(keyEncryptionKeyPath, EncryptionAlgorithm, ColumnEncryptionKey); byte[] decryptedCekWithOldProvider = oldAkvProvider.DecryptColumnEncryptionKey(keyEncryptionKeyPath, EncryptionAlgorithm.ToString(), encryptedCekWithNewProvider); Assert.Equal(ColumnEncryptionKey, decryptedCekWithOldProvider); byte[] encryptedCekWithOldProvider = oldAkvProvider.EncryptColumnEncryptionKey(keyEncryptionKeyPath, EncryptionAlgorithm.ToString(), ColumnEncryptionKey); byte[] decryptedCekWithNewProvider = newAkvProvider.UnwrapKey(keyEncryptionKeyPath, EncryptionAlgorithm, encryptedCekWithOldProvider); Assert.Equal(ColumnEncryptionKey, decryptedCekWithNewProvider); }
static async public Task Configure() { //Adds the Azure Key Vault Provider to ensure the column is unencrypted when queryed upon //Reference: https://blogs.msdn.microsoft.com/sqlsecurity/2015/11/10/using-the-azure-key-vault-key-store-provider-for-always-encrypted/ SqlColumnEncryptionAzureKeyVaultProvider azureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(Util.GetToken); Dictionary <string, SqlColumnEncryptionKeyStoreProvider> providers = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(); providers.Add(SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider); SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers); //Get an access token for the Key Vault to get the secret out... kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(Util.GetToken)); }
public static void RegisterGlobalProviders(SqlColumnEncryptionAzureKeyVaultProvider akvProvider) { DummyKeyStoreProvider dummyProvider = new DummyKeyStoreProvider(); Dictionary <string, SqlColumnEncryptionKeyStoreProvider> customKeyStoreProviders = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(capacity: 2, comparer: StringComparer.OrdinalIgnoreCase) { { SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, akvProvider }, { DummyKeyStoreProvider.Name, dummyProvider } }; SqlConnection.RegisterColumnEncryptionKeyStoreProviders(customProviders: customKeyStoreProviders); IsAKVProviderRegistered = true; }
static void Main() { using (SqlConnection connection = new SqlConnection(connectionString)) { using (SqlCommand command = connection.CreateCommand()) { Dictionary <string, SqlColumnEncryptionKeyStoreProvider> customKeyStoreProviders = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(); SqlColumnEncryptionAzureKeyVaultProvider azureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(); customKeyStoreProviders.Add(SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider); command.RegisterColumnEncryptionKeyStoreProvidersOnCommand(customKeyStoreProviders); // Perform database operation using Azure Key Vault Provider // Any decrypted column encryption keys will be cached } // Column encryption key cache of "azureKeyVaultProvider" is cleared when "azureKeyVaultProvider" goes out of scope } }
public static void TokenCredentialTest() { Guid activityId = Trace.CorrelationManager.ActivityId = Guid.NewGuid(); using DataTestUtility.AKVEventListener AKVListener = new(); ClientSecretCredential clientSecretCredential = new ClientSecretCredential(DataTestUtility.AKVTenantId, DataTestUtility.AKVClientId, DataTestUtility.AKVClientSecret); SqlColumnEncryptionAzureKeyVaultProvider akvProvider = new SqlColumnEncryptionAzureKeyVaultProvider(clientSecretCredential); byte[] encryptedCek = akvProvider.EncryptColumnEncryptionKey(DataTestUtility.AKVUrl, EncryptionAlgorithm, s_columnEncryptionKey); byte[] decryptedCek = akvProvider.DecryptColumnEncryptionKey(DataTestUtility.AKVUrl, EncryptionAlgorithm, encryptedCek); Assert.Equal(s_columnEncryptionKey, decryptedCek); ValidateAKVTraces(AKVListener.EventData, activityId); }
/// <summary> /// Registers the AzureKeyVaultProvider to be used with Column Encryption in SQL Server (Always Encrypted). /// </summary> public SqlColumnEncryptionAzureKeyVaultProvider GetSqlColumnEncryptionAzureKeyVaultProvider() { SqlColumnEncryptionAzureKeyVaultProvider azureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(GetTokenAsync); return azureKeyVaultProvider; }