I am using SQL Server 2016 Enterprise Edition with SQL Connector for Azure Key Vault. I am trying to attach more than one Key Vault to my SQL instance but it is not working.
I went through these instructions to set up the EKM provider and create a credential, create a new database encryption key from the asymmetric key, etc. for the first key vault –
testkeyvault1. I am trying to repeat these same actions using a second credential which is configured for the second key vault –
However, I keep getting the following error:
Msg 33049, Level 16, State 2, Line 70
Key with name ‘test2rsakey0’ does not exist in the provider or access is denied. Provider error code: 3112. (Provider Error – No explanation is available, consult EKM Provider for details)
SQL Server is clearly looking at the wrong key vault. Looking at the event viewer shows this as well:
Vault Name: testkeyvault1.vault.azure.net Operation: getKeyByName Key Name: test2rsakey0 Message: [error:112, info:404, state:0] The server responded 404, because the key name was not found. Please make sure the key name exists in your vault.
If I add
testkeyvault2 first, and then repeat the process for
testkeyvault1, the results are reversed. So it seems that SQL Connector looks for keys only in the first configured key vault. I even checked the registry and ensured that keys exist for both key vaults in the following path:
ComputerHKEY_LOCAL_MACHINESOFTWAREMicrosoftSQL Server Cryptographic ProviderAzure Key Vault
I need to be able to use multiple key vaults since some customers want to provide access to their own key vault to encrypt the database stored on our servers.
Is there any way around this? Any alternative solutions to use multiple key vaults, or to allow customers a BYOK model?
Stupidly enough, opening a new tab in SQL Studio fixed the issue. I guess when creating a credential, it seems to “stick” to the tab on which it was created, even if creating and binding a second credential within the same tab. Running the same commands in a new tab worked.