问题
I am trying to encrypt sql server database in Azure VM using TDE where the EKM will use Azure Key vault. I have been following the steps outlined in below link.
setup steps for EKM using Azure Key Vault
I have followed all the steps exactly including the below step where we need to provide value for SECRET (Application ID without hyphens+ Azure vault key).
USE master;
CREATE CREDENTIAL sysadmin_ekm_cred
WITH IDENTITY = 'keyvaultname',
SECRET =
'ef509ab6e52649388e65283e9378b0a171ccf2d0a8004abbbaaf93ab8f5909c0'
FOR CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM_Prov;
I get following error when trying to run below code
CREATE ASYMMETRIC KEY CONTOSO_KEY
FROM PROVIDER [AzureKeyVault_EKM_Prov]
WITH PROVIDER_KEY_NAME = 'Azurevaultkeyname',
CREATION_DISPOSITION = OPEN_EXISTING;
Msg 33028, Level 16, State 1, Line 14 Cannot open session for cryptographic provider 'AzureKeyVault_EKM_Prov'. Provider error code: 3303. (Provider Error - No explanation is available, consult EKM Provider for details)
Please let me know how to fix it.
回答1:
I ran into a similar issue, the provider tries to create a registry key but doesn't have permissions to do so, therefore it fails. Try the following steps taken from this blogpost
Open regedit
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
- Create a new Key called “SQL Server Cryptographic Provider” (without quotes)
- Right click the key, from the context menu select ‘permissions.
- Give Full Control permissions to this key to the Windows service account that runs SQL Server
来源:https://stackoverflow.com/questions/48517350/why-is-sql-server-unable-to-connect-to-azure-key-vault-using-sql-server-connecto