// ******************************************
static void Main(string[] args)
{
// Initialize AKV provider
var sqlColumnEncryptionAzureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(AzureActiveDirectoryAuthenticationCallback);
// Register AKV provider
SqlConnection.RegisterColumnEncryptionKeyStoreProviders(customProviders: new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(capacity: 1, comparer: StringComparer.OrdinalIgnoreCase)
{
{ SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, sqlColumnEncryptionAzureKeyVaultProvider }
});
Console.WriteLine("AKV provider Registered");
// Create connection to database
using (SqlConnection sqlConnection = new SqlConnection(s_connectionString))
{
var cmkName = "CMK_WITH_AKV";
var cekName = "CEK_WITH_AKV";
var tblName = "AKV_TEST_TABLE";
var customer = new CustomerRecord(1, @"Microsoft", @"Corporation");
try
{
sqlConnection.Open();
// Drop Objects if exists
dropObjects(sqlConnection, cmkName, cekName, tblName);
// Create Column Master Key with AKV Url
createCMK(sqlConnection, cmkName, sqlColumnEncryptionAzureKeyVaultProvider);
Console.WriteLine("Column Master Key created.");
// Create Column Encryption Key
createCEK(sqlConnection, cmkName, cekName, sqlColumnEncryptionAzureKeyVaultProvider);
Console.WriteLine("Column Encryption Key created.");
// Create Table with Encrypted Columns
createTbl(sqlConnection, cekName, tblName);
Console.WriteLine("Table created with Encrypted columns.");
// Insert Customer Record in table
insertData(sqlConnection, tblName, customer);
Console.WriteLine("Encryted data inserted.");
// Read data from table
verifyData(sqlConnection, tblName, customer);
Console.WriteLine("Data validated successfully.");
}
finally
{
// Drop table and keys
dropObjects(sqlConnection, cmkName, cekName, tblName);
Console.WriteLine("Dropped Table, CEK and CMK");
}
Console.WriteLine("Completed AKV provider Sample.");
Console.ReadKey();
}
}
// Initialize the Azure Key Vault provider for Always Encrypted. Required if column master keys are stored in Azure Key Vault.
private void InitializeAzureKeyVaultProvider()
{
TokenCredential tokenCredential = null;
SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(Configuration.GetConnectionString("ContosoHRDatabase"));
if (builder.Authentication == SqlAuthenticationMethod.ActiveDirectoryManagedIdentity)
{
// If the application uses a managed identity to talk to Azure SQL Database, use the managed identity for Azure Key Vault too.
tokenCredential = new ManagedIdentityCredential();
}
else
{
// Assume a managed identity is not available to the app. Instead, use a client id/secret to authenticate to Azure Key Vault.
// Fetch client id, secret, tenant id from the configuration.
// It is recommended you specify these parameters in secrets.json.
// See https://docs.microsoft.com/aspnet/core/security/app-secrets?view=aspnetcore-5.0&tabs=windows on how store secrets in secrets.json.
var clientId = Configuration["ClientId"];
var secret = Configuration["Secret"];
var tenantId = Configuration["TenantId"];
tokenCredential = new ClientSecretCredential(tenantId, clientId, secret);
}
SqlColumnEncryptionAzureKeyVaultProvider sqlColumnEncryptionAzureKeyVaultProvider =
new SqlColumnEncryptionAzureKeyVaultProvider(tokenCredential);
SqlConnection.RegisterColumnEncryptionKeyStoreProviders(
customProviders: new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(capacity: 1, comparer: StringComparer.OrdinalIgnoreCase)
{
{ SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, sqlColumnEncryptionAzureKeyVaultProvider }
}
);
}
async protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
GlobalConfiguration.Configure(WebApiConfig.Register);
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
HttpConfiguration config = GlobalConfiguration.Configuration;
config.Formatters.JsonFormatter.SerializerSettings.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore;
//Adds the Azure Key Vault Provider to ensure the column is unencrypted when queryed upon
//Reference: https://blogs.msdn.microsoft.com/sqlsecurity/2015/11/10/using-the-azure-key-vault-key-store-provider-for-always-encrypted/
SqlColumnEncryptionAzureKeyVaultProvider azureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(Util.GetToken);
Dictionary <string, SqlColumnEncryptionKeyStoreProvider> providers = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>();
providers.Add(SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider);
SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers);
//Get an access token for the Key Vault to get the secret out...
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(Util.GetToken));
var sec = await kv.GetSecretAsync(WebConfigurationManager.AppSettings["SecretUri"]);
//ensure that the connect string has the "Column Encryption Setting=Enabled" in it!
Util.EncryptSecret = sec.Value;
}
static void Main()
{
Dictionary <string, SqlColumnEncryptionKeyStoreProvider> customKeyStoreProviders = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>();
MyCustomKeyStoreProvider firstProvider = new MyCustomKeyStoreProvider();
customKeyStoreProviders.Add("FIRST_CUSTOM_STORE", firstProvider);
// Registers the provider globally
SqlConnection.RegisterColumnEncryptionKeyStoreProviders(customKeyStoreProviders);
using (SqlConnection connection = new SqlConnection(connectionString))
{
customKeyStoreProviders.Clear();
MyCustomKeyStoreProvider secondProvider = new MyCustomKeyStoreProvider();
customKeyStoreProviders.Add("SECOND_CUSTOM_STORE", secondProvider);
// Registers the provider on the connection
connection.RegisterColumnEncryptionKeyStoreProvidersOnConnection(customKeyStoreProviders);
using (SqlCommand command = connection.CreateCommand())
{
customKeyStoreProviders.Clear();
SqlColumnEncryptionAzureKeyVaultProvider azureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider();
customKeyStoreProviders.Add(SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider);
// Registers the provider on the command
// These providers will take precedence over connection-level providers and globally registered providers
command.RegisterColumnEncryptionKeyStoreProvidersOnCommand(customKeyStoreProviders);
}
}
}
private void InitializeAzureKeyVaultProvider()
{
// Initialize the Azure Key Vault provider
TokenCredential tokenCredential = null;
SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(Configuration.GetConnectionString("ContosoHRDatabase"));
if (builder.Authentication == SqlAuthenticationMethod.ActiveDirectoryManagedIdentity)
{
tokenCredential = new ManagedIdentityCredential();
}
else
{
var clientId = "...";
var secret = "...";
var tenantId = "...";
tokenCredential = new ClientSecretCredential(tenantId, clientId, secret);
}
SqlColumnEncryptionAzureKeyVaultProvider sqlColumnEncryptionAzureKeyVaultProvider =
new SqlColumnEncryptionAzureKeyVaultProvider(tokenCredential);
SqlConnection.RegisterColumnEncryptionKeyStoreProviders(
customProviders: new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(capacity: 1, comparer: StringComparer.OrdinalIgnoreCase)
{
{ SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, sqlColumnEncryptionAzureKeyVaultProvider }
}
);
}
// ******************************************
static void Main(string[] args)
{
// Initialize AKV provider
SqlColumnEncryptionAzureKeyVaultProvider sqlColumnEncryptionAzureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(AzureActiveDirectoryAuthenticationCallback, s_trustedEndPoint);
// Register AKV provider
SqlConnection.RegisterColumnEncryptionKeyStoreProviders(customProviders: new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(capacity: 1, comparer: StringComparer.OrdinalIgnoreCase)
{
{ SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, sqlColumnEncryptionAzureKeyVaultProvider }
});
Console.WriteLine("AKV provider Registered");
// Create connection to database
using (SqlConnection sqlConnection = new SqlConnection(s_connectionString))
{
string cmkName = "CMK_WITH_AKV";
string cekName = "CEK_WITH_AKV";
string tblName = "AKV_TEST_TABLE";
sqlConnection.Open();
// Create Column Master Key with AKV Url
createCMK(sqlConnection, cmkName, sqlColumnEncryptionAzureKeyVaultProvider);
Console.WriteLine("Column Master Key created.");
// Create Column Encryption Key
createCEK(sqlConnection, cmkName, cekName, sqlColumnEncryptionAzureKeyVaultProvider);
Console.WriteLine("Column Encryption Key created.");
// Create Table with Encrypted Columns
createTbl(sqlConnection, cekName, tblName);
Console.WriteLine("Table created with Encrypted columns.");
}
}
public static void ReturnSpecifiedVersionOfKeyWhenItIsNotTheMostRecentVersion()
{
Uri keyPathUri = new Uri(DataTestUtility.AKVOriginalUrl);
Uri vaultUri = new Uri(keyPathUri.GetLeftPart(UriPartial.Authority));
//If key version is not specified then we cannot test.
if (KeyIsVersioned(keyPathUri))
{
string keyName = keyPathUri.Segments[2];
string keyVersion = keyPathUri.Segments[3];
ClientSecretCredential clientSecretCredential = new ClientSecretCredential(DataTestUtility.AKVTenantId, DataTestUtility.AKVClientId, DataTestUtility.AKVClientSecret);
KeyClient keyClient = new KeyClient(vaultUri, clientSecretCredential);
KeyVaultKey currentVersionKey = keyClient.GetKey(keyName);
KeyVaultKey specifiedVersionKey = keyClient.GetKey(keyName, keyVersion);
//If specified versioned key is the most recent version of the key then we cannot test.
if (!KeyIsLatestVersion(specifiedVersionKey, currentVersionKey))
{
SqlColumnEncryptionAzureKeyVaultProvider azureKeyProvider = new SqlColumnEncryptionAzureKeyVaultProvider(clientSecretCredential);
// Perform an operation to initialize the internal caches
azureKeyProvider.EncryptColumnEncryptionKey(DataTestUtility.AKVOriginalUrl, EncryptionAlgorithm, s_columnEncryptionKey);
PropertyInfo keyCryptographerProperty = azureKeyProvider.GetType().GetProperty("KeyCryptographer", BindingFlags.NonPublic | BindingFlags.Instance);
var keyCryptographer = keyCryptographerProperty.GetValue(azureKeyProvider);
MethodInfo getKeyMethod = keyCryptographer.GetType().GetMethod("GetKey", BindingFlags.NonPublic | BindingFlags.Instance);
KeyVaultKey key = (KeyVaultKey)getKeyMethod.Invoke(keyCryptographer, new[] { DataTestUtility.AKVOriginalUrl });
Assert.Equal(keyVersion, key.Properties.Version);
}
}
}
public static void InitializeSQLProviders()
{
SqlColumnEncryptionAzureKeyVaultProvider azureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(GetToken);
var providers = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>();
providers.Add(SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider);
SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers);
}
private static object GetCacheInstance(string cacheName, SqlColumnEncryptionAzureKeyVaultProvider akvProvider)
{
Assembly akvProviderAssembly = typeof(SqlColumnEncryptionAzureKeyVaultProvider).Assembly;
Type akvProviderType = akvProviderAssembly.GetType(
"Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.SqlColumnEncryptionAzureKeyVaultProvider");
FieldInfo cacheField = akvProviderType.GetField(cacheName, BindingFlags.Instance | BindingFlags.NonPublic);
return(cacheField.GetValue(akvProvider));
}
private static bool CekCacheContainsKey(byte[] encryptedCek, SqlColumnEncryptionAzureKeyVaultProvider akvProvider)
{
var cacheInstance = GetCacheInstance("_columnEncryptionKeyCache", akvProvider);
Type cacheType = cacheInstance.GetType();
MethodInfo containsMethod = cacheType.GetMethod("Contains", BindingFlags.Instance | BindingFlags.NonPublic);
bool containsResult = (bool)containsMethod.Invoke(cacheInstance, new object[] { ToHexString(encryptedCek) });
return(containsResult);
}
public SQLSetupStrategyAzureKeyVault() : base()
{
AkvStoreProvider = new SqlColumnEncryptionAzureKeyVaultProvider(new SqlClientCustomTokenCredential());
if (!IsAKVProviderRegistered)
{
RegisterGlobalProviders(AkvStoreProvider);
}
SetupDatabase();
}
private void RegisterAzureKeyVaultProvider()
{
SqlColumnEncryptionAzureKeyVaultProvider sqlColumnEncryptionAzureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(AzureActiveDirectoryAuthenticationCallback);
SqlConnection.RegisterColumnEncryptionKeyStoreProviders(customProviders: new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(capacity: 1, comparer: StringComparer.OrdinalIgnoreCase)
{
{ SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, sqlColumnEncryptionAzureKeyVaultProvider }
});
}
private static int GetCacheCount(string cacheName, SqlColumnEncryptionAzureKeyVaultProvider akvProvider)
{
var cacheInstance = GetCacheInstance(cacheName, akvProvider);
Type cacheType = cacheInstance.GetType();
PropertyInfo countProperty = cacheType.GetProperty("Count", BindingFlags.Instance | BindingFlags.NonPublic);
int countValue = (int)countProperty.GetValue(cacheInstance);
return(countValue);
}
static void InitializeAzureKeyVaultProvider()
{
_clientCredential = new ClientCredential(clientId, clientSecret);
SqlColumnEncryptionAzureKeyVaultProvider azureKeyVaultProvider =
new SqlColumnEncryptionAzureKeyVaultProvider(GetToken);
Dictionary<string, SqlColumnEncryptionKeyStoreProvider> providers =
new Dictionary<string, SqlColumnEncryptionKeyStoreProvider>();
providers.Add(SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider);
SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers);
}
public static void LegacyAuthenticationCallbackTest()
{
// SqlClientCustomTokenCredential implements legacy authentication callback to request access token at client-side.
SqlColumnEncryptionAzureKeyVaultProvider akvProvider = new SqlColumnEncryptionAzureKeyVaultProvider(new SqlClientCustomTokenCredential());
byte[] encryptedCek = akvProvider.EncryptColumnEncryptionKey(DataTestUtility.AKVUrl, EncryptionAlgorithm, s_columnEncryptionKey);
byte[] decryptedCek = akvProvider.DecryptColumnEncryptionKey(DataTestUtility.AKVUrl, EncryptionAlgorithm, encryptedCek);
Assert.Equal(s_columnEncryptionKey, decryptedCek);
}
public static void InitializeAzureKeyVaultProvider()
{
var azKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(GetToken);
Dictionary <string, SqlColumnEncryptionKeyStoreProvider> providers = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>
{
{ SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azKeyVaultProvider }
};
SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers);
}
public static void TokenCredentialTest()
{
ClientSecretCredential clientSecretCredential = new ClientSecretCredential(DataTestUtility.AKVTenantId, DataTestUtility.AKVClientId, DataTestUtility.AKVClientSecret);
SqlColumnEncryptionAzureKeyVaultProvider akvProvider = new SqlColumnEncryptionAzureKeyVaultProvider(clientSecretCredential);
byte[] encryptedCek = akvProvider.EncryptColumnEncryptionKey(DataTestUtility.AKVUrl, EncryptionAlgorithm, s_columnEncryptionKey);
byte[] decryptedCek = akvProvider.DecryptColumnEncryptionKey(DataTestUtility.AKVUrl, EncryptionAlgorithm, encryptedCek);
Assert.Equal(s_columnEncryptionKey, decryptedCek);
}
////////////////////////////////////////////////////////////
// Public Methods/Atributes
////////////////////////////////////////////////////////////
/// <inheritdoc />
/// <summary>
/// Register the provider with ADO.net
/// </summary>
public void Register()
{
var azureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(_keyVaultTokenProvider.GetTokenAsync);
var providers = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider> {
{ SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider }
};
// register the provider with ADO.net
SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers);
}
public void InvalidTrustedEndpoint(string trustedEndpoint)
{
Exception ex = Assert.Throws <ArgumentException>(() =>
{
SqlColumnEncryptionAzureKeyVaultProvider azureKeyProvider = new SqlColumnEncryptionAzureKeyVaultProvider(
new SqlClientCustomTokenCredential(), trustedEndpoint);
});
Assert.Matches("One or more of the elements in trustedEndpoints are null or empty or consist of only whitespace.", ex.Message);
}
/// <summary>
/// Set up ADO to authenticate to Azure AD and retrieve the
/// Column Master Key (CMK) from a Key Vault as set up in the
/// App.Config. Then ADO will be able to use the CMK to decript
/// read from the Key Vault to decrypt the column Encryption Key (CEK)
/// that is an encrypted key stored in the database itself and returned
/// to teh app with the query for which the CMK is the decryption key.
/// Once ADO can unwrap the CEK by means of the CMK then it can use the
/// decrypted CEK to decrypt the data read from the database and viceversa
/// encrypt the data sent to it.
/// </summary>
private static void SetUpAdoNetEncryption()
{
var azEncryptionKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(GetAccessTokenAsync);
var providers = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>();
providers.Add(SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azEncryptionKeyVaultProvider);
SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers);
Console.WriteLine($"providers = {providers.Count}");
Console.WriteLine();
}
private static string GetEncryptedValue(SqlColumnEncryptionAzureKeyVaultProvider sqlColumnEncryptionAzureKeyVaultProvider)
{
byte[] plainTextColumnEncryptionKey = new byte[32];
RandomNumberGenerator rng = RandomNumberGenerator.Create();
rng.GetBytes(plainTextColumnEncryptionKey);
byte[] encryptedColumnEncryptionKey = sqlColumnEncryptionAzureKeyVaultProvider.EncryptColumnEncryptionKey(s_akvUrl, s_algorithm, plainTextColumnEncryptionKey);
string EncryptedValue = string.Concat("0x", BitConverter.ToString(encryptedColumnEncryptionKey).Replace("-", string.Empty));
return EncryptedValue;
}
public static void ThrowWhenUrlHasLessThanThreeSegments()
{
SqlColumnEncryptionAzureKeyVaultProvider azureKeyProvider = new SqlColumnEncryptionAzureKeyVaultProvider(new SqlClientCustomTokenCredential());
string invalidKeyPath = "https://my-key-vault.vault.azure.net/keys";
Exception ex1 = Assert.Throws <ArgumentException>(() => azureKeyProvider.EncryptColumnEncryptionKey(invalidKeyPath, EncryptionAlgorithm, s_columnEncryptionKey));
Assert.Contains($"Invalid url specified: '{invalidKeyPath}'", ex1.Message);
Exception ex2 = Assert.Throws <ArgumentException>(() => azureKeyProvider.DecryptColumnEncryptionKey(invalidKeyPath, EncryptionAlgorithm, s_columnEncryptionKey));
Assert.Contains($"Invalid url specified: '{invalidKeyPath}'", ex2.Message);
}
static void InitializeAzureKeyVaultProvider(AzureServiceTokenProvider azureServiceTokenProvider)
{
var azureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var providers = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>
{
{ SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider }
};
SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers);
}
private static string GetEncryptedValue(SqlColumnEncryptionAzureKeyVaultProvider sqlColumnEncryptionAzureKeyVaultProvider)
{
byte[] plainTextColumnEncryptionKey = new byte[32];
RNGCryptoServiceProvider rngCsp = new RNGCryptoServiceProvider();
rngCsp.GetBytes(plainTextColumnEncryptionKey);
byte[] encryptedColumnEncryptionKey = sqlColumnEncryptionAzureKeyVaultProvider.EncryptColumnEncryptionKey(s_akvUrl, s_algorithm, plainTextColumnEncryptionKey);
string EncryptedValue = string.Concat("0x", BitConverter.ToString(encryptedColumnEncryptionKey).Replace("-", string.Empty));
return(EncryptedValue);
}
static void InitializeAzureKeyVaultProvider()
{
string clientId = CloudConfigurationManager.GetSetting("ida:ClientId");
string clientSecret = CloudConfigurationManager.GetSetting("ida:ClientSecret");
_clientCredential = new ClientCredential(clientId, clientSecret);
SqlColumnEncryptionAzureKeyVaultProvider azureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(GetToken);
Dictionary <string, SqlColumnEncryptionKeyStoreProvider> providers = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>();
providers.Add(SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider);
SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers);
}
public void IsCompatibleWithProviderUsingLegacyClient()
{
AzureKeyVaultKeyStoreProvider newAkvProvider = new AzureKeyVaultKeyStoreProvider(new ClientSecretCredential(tenantId, clientId, clientSecret));
SqlColumnEncryptionAzureKeyVaultProvider oldAkvProvider = new SqlColumnEncryptionAzureKeyVaultProvider(AzureActiveDirectoryAuthenticationCallback);
byte[] encryptedCekWithNewProvider = newAkvProvider.WrapKey(keyEncryptionKeyPath, EncryptionAlgorithm, ColumnEncryptionKey);
byte[] decryptedCekWithOldProvider = oldAkvProvider.DecryptColumnEncryptionKey(keyEncryptionKeyPath, EncryptionAlgorithm.ToString(), encryptedCekWithNewProvider);
Assert.Equal(ColumnEncryptionKey, decryptedCekWithOldProvider);
byte[] encryptedCekWithOldProvider = oldAkvProvider.EncryptColumnEncryptionKey(keyEncryptionKeyPath, EncryptionAlgorithm.ToString(), ColumnEncryptionKey);
byte[] decryptedCekWithNewProvider = newAkvProvider.UnwrapKey(keyEncryptionKeyPath, EncryptionAlgorithm, encryptedCekWithOldProvider);
Assert.Equal(ColumnEncryptionKey, decryptedCekWithNewProvider);
}
static async public Task Configure()
{
//Adds the Azure Key Vault Provider to ensure the column is unencrypted when queryed upon
//Reference: https://blogs.msdn.microsoft.com/sqlsecurity/2015/11/10/using-the-azure-key-vault-key-store-provider-for-always-encrypted/
SqlColumnEncryptionAzureKeyVaultProvider azureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(Util.GetToken);
Dictionary <string, SqlColumnEncryptionKeyStoreProvider> providers = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>();
providers.Add(SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider);
SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers);
//Get an access token for the Key Vault to get the secret out...
kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(Util.GetToken));
}
public static void RegisterGlobalProviders(SqlColumnEncryptionAzureKeyVaultProvider akvProvider)
{
DummyKeyStoreProvider dummyProvider = new DummyKeyStoreProvider();
Dictionary <string, SqlColumnEncryptionKeyStoreProvider> customKeyStoreProviders =
new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(capacity: 2, comparer: StringComparer.OrdinalIgnoreCase)
{
{ SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, akvProvider },
{ DummyKeyStoreProvider.Name, dummyProvider }
};
SqlConnection.RegisterColumnEncryptionKeyStoreProviders(customProviders: customKeyStoreProviders);
IsAKVProviderRegistered = true;
}
static void Main()
{
using (SqlConnection connection = new SqlConnection(connectionString))
{
using (SqlCommand command = connection.CreateCommand())
{
Dictionary <string, SqlColumnEncryptionKeyStoreProvider> customKeyStoreProviders = new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>();
SqlColumnEncryptionAzureKeyVaultProvider azureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider();
customKeyStoreProviders.Add(SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider);
command.RegisterColumnEncryptionKeyStoreProvidersOnCommand(customKeyStoreProviders);
// Perform database operation using Azure Key Vault Provider
// Any decrypted column encryption keys will be cached
} // Column encryption key cache of "azureKeyVaultProvider" is cleared when "azureKeyVaultProvider" goes out of scope
}
}
public static void TokenCredentialTest()
{
Guid activityId = Trace.CorrelationManager.ActivityId = Guid.NewGuid();
using DataTestUtility.AKVEventListener AKVListener = new();
ClientSecretCredential clientSecretCredential = new ClientSecretCredential(DataTestUtility.AKVTenantId, DataTestUtility.AKVClientId, DataTestUtility.AKVClientSecret);
SqlColumnEncryptionAzureKeyVaultProvider akvProvider = new SqlColumnEncryptionAzureKeyVaultProvider(clientSecretCredential);
byte[] encryptedCek = akvProvider.EncryptColumnEncryptionKey(DataTestUtility.AKVUrl, EncryptionAlgorithm, s_columnEncryptionKey);
byte[] decryptedCek = akvProvider.DecryptColumnEncryptionKey(DataTestUtility.AKVUrl, EncryptionAlgorithm, encryptedCek);
Assert.Equal(s_columnEncryptionKey, decryptedCek);
ValidateAKVTraces(AKVListener.EventData, activityId);
}
/// <summary>
/// Registers the AzureKeyVaultProvider to be used with Column Encryption in SQL Server (Always Encrypted).
/// </summary>
public SqlColumnEncryptionAzureKeyVaultProvider GetSqlColumnEncryptionAzureKeyVaultProvider()
{
SqlColumnEncryptionAzureKeyVaultProvider azureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(GetTokenAsync);
return azureKeyVaultProvider;
}