SQL Connector for Azure Key Vault - Cannot use more than one key vault
https://dba.stackexchange.com/questions/246307
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianВопрос
I am using SQL Server 2016 Enterprise Edition with SQL Connector for Azure Key Vault. I am trying to attach more than one Key Vault to my SQL instance but it is not working.
I went through these instructions to set up the EKM provider and create a credential, create a new database encryption key from the asymmetric key, etc. for the first key vault - testkeyvault1. I am trying to repeat these same actions using a second credential which is configured for the second key vault - testkeyvault2
However, I keep getting the following error:
Msg 33049, Level 16, State 2, Line 70 Key with name 'test2rsakey0' does not exist in the provider or access is denied. Provider error code: 3112. (Provider Error - No explanation is available, consult EKM Provider for details)
SQL Server is clearly looking at the wrong key vault. Looking at the event viewer shows this as well:
Vault Name: testkeyvault1.vault.azure.net
Operation: getKeyByName
Key Name: test2rsakey0
Message: [error:112, info:404, state:0] The server responded 404, because the key name was not found. Please make sure the key name exists in your vault.
If I add testkeyvault2 first, and then repeat the process for testkeyvault1, the results are reversed. So it seems that SQL Connector looks for keys only in the first configured key vault. I even checked the registry and ensured that keys exist for both key vaults in the following path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQL Server Cryptographic Provider\Azure Key Vault\
I need to be able to use multiple key vaults since some customers want to provide access to their own key vault to encrypt the database stored on our servers.
Is there any way around this? Any alternative solutions to use multiple key vaults, or to allow customers a BYOK model?
Решение
Stupidly enough, opening a new tab in SQL Studio fixed the issue. I guess when creating a credential, it seems to "stick" to the tab on which it was created, even if creating and binding a second credential within the same tab. Running the same commands in a new tab worked.
