SQL Connector for Azure Key Vault - multiple key vaults and keys per instance

Question

In SQL Server 2016 Enterprise Edition, is it possible to link a single instance to more than one Azure key vault / EKM provider? If so, how would I add an additional provider? Any security considerations?

Also, is it possible to encrypt each individual database with different encryption keys, or is the same encryption key used for all databases?

Answer 1

In SQL Server 2016 Enterprise Edition, is it possible to link a single instance to more than one Azure key vault / EKM provider? If so, how would I add an additional provider? Any security considerations?

You don't add an additional provider, the provider is simply a reference to a DLL on the SQL Server that provides the interface to your EKM provider.

You add a credential to interact with the key vault (using the FOR CRYPTOGRAPHIC PROVIDER option) and associate that credential with a login. If you have additional key vaults, you add additional credentials and additional logins.

Also, is it possible to encrypt each individual database with different encryption keys, or is the same encryption key used for all databases?

(Assuming you mean TDE) Yes. You create a database encryption key, scoped to the DB in question, protected by a certificate or server asymmetric key per database. You already get a different encryption key per DB and you can even protect the DEK using a different cert or asymmetric key per database.

Scenario: I want to protect 2 databases with TDE using individual Asymmetric Keys provided by different Azure Key Vaults.

Steps:

1. Create Cryptographic Provider for Azure Key Vault
2. Create Credential1 for accessing AKV1
3. Associate Credential1 with sysadmin user
4. Create Asymmetric Key1 from AKV1
5. Create Login1 from Asymmetric Key1
6. Remove Credential1 from sysadmin user
7. Add Credential1 to Login1
8. Configure TDE on DB1 using Asymmetric Key1
9. Create Credential2 for accessing AKV2
10. Associate Credential2 with sysadmin user
11. Create Asymmetric Key2 from AKV2
12. Create Login2 from Asymmetric Key2
13. Remove Credential2 from sysadmin user
14. Add Credential2 to Login2
15. Configure TDE on DB2 using Asymmetric Key2