Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL Server Always Encrypted feature with KeyVault and MSI #1069

Closed
VenkataMadana opened this issue May 27, 2019 · 6 comments
Closed

SQL Server Always Encrypted feature with KeyVault and MSI #1069

VenkataMadana opened this issue May 27, 2019 · 6 comments
Labels
Enhancement An enhancement to the driver. Lower priority than bugs.

Comments

@VenkataMadana
Copy link

Question

We are trying to use SQL Server Always Encrypted feature with KeyVault and MSI. Azure App Service MSI feature is used on the database on KeyVault. Please provide an example without keyvault ClientId and ClientSecret.

We have a working solution based on keyvault ClientId and ClientSecret, But we are checking a solution without using ClientId and ClientSecret.

SQLServerColumnEncryptionAzureKeyVaultProvider akvProvider = new SQLServerColumnEncryptionAzureKeyVaultProvider(alwaysOnEncyrptionClientId, alwaysOnEncyrptionClientSecret);
	    Map<String, SQLServerColumnEncryptionKeyStoreProvider> keyStoreMap = new HashMap<>();
	    keyStoreMap.put(akvProvider.getName(), akvProvider);
	    SQLServerConnection.registerColumnEncryptionKeyStoreProviders(keyStoreMap);

Relevant Issues and Pull Requests

@VenkataMadana VenkataMadana added the Question Used when a question is asked, as opposed to an issue being raised label May 27, 2019
@cheenamalhotra
Copy link
Member

cheenamalhotra commented May 27, 2019

Hi @venkatareddym

In order to work with Always Encrypted feature, you can choose one of three methods:

  • Windows Cert Store
  • Java Key Store (JKS)
  • Azure Key Vault (AKV)

Documentation Reference:
https://docs.microsoft.com/en-us/sql/connect/jdbc/using-always-encrypted-with-the-jdbc-driver?view=sql-server-2017#using-built-in-column-master-key-store-providers

@VenkataMadana
Copy link
Author

We already using an Always Encrypted feature with Key Vault with ClientId and ClientSecret. We want to eliminate the ClientId and ClientSecret with the Azure app services MSI feature. For SQL server we already using Azure App services MSI feature.

Our main goal is to eliminate the secrets and passwords on config files. We are checking examples for SQLServerKeyVaultAuthenticationCallback with Keyvalut MSI ( Managed Service Identity )features.

https://github.com/microsoft/mssql-jdbc/blob/master/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerColumnEncryptionAzureKeyVaultProvider.java

@cheenamalhotra
Copy link
Member

Hi @venkatareddym

Yes, that is not supported by driver yet. As of now MSI is only supported for acquiring access token for Azure database connection. I will keep the issue open until we support Azure Key Vault access with MSI in the driver.

@cheenamalhotra cheenamalhotra added Enhancement An enhancement to the driver. Lower priority than bugs. and removed Question Used when a question is asked, as opposed to an issue being raised labels May 28, 2019
@ronneyramon
Copy link

ronneyramon commented Jun 14, 2019

Hi,

@venkatareddym, you can get the Azure Key Vault access token using the AzureServiceTokenProvider (from Microsoft.Azure.Services.AppAuthentication 1.2.0 preview).

The GetToken method:

public static Task<string> GetToken(string authority, string resource, string scope)
{
	return (new AzureServiceTokenProvider()).GetAccessTokenAsync("https://vault.azure.net");
}
SqlColumnEncryptionAzureKeyVaultProvider azureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(GetToken);

Dictionary<string, SqlColumnEncryptionKeyStoreProvider> providers = new Dictionary<string, SqlColumnEncryptionKeyStoreProvider>();

providers.Add(SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider);
SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers);

@cheenamalhotra cheenamalhotra removed their assignment Jul 19, 2019
@manikandanramaswami
Copy link

manikandanramaswami commented Jan 6, 2020

@cheenamalhotra @venkatareddym @ronneyramon I too like this feature to be implemented in JDBC driver. This is analogous to IntegratedSecurity=true in a connection string which automatically initiates Windows Security based connection to SQL Server. Like wise, If a Connection String Keyword IntegratedKeyVaultSecurity=true (or any meaningful keyword) is introduced to wrap registration of KeyVaultProvider (GetToken callback) it would be of great help.

From JDBC driver version 7.4.1 onwards, AzureKeyVaultProvider is automatically registered if two Connection String Keywords present keyVaultProviderClientId, keyVaultProviderClientKey (#902) eliminating the need for writing the below code.
This is great usability improvement in terms of using JDBC under Cold Fusion environment.

SQLServerColumnEncryptionAzureKeyVaultProvider akvProvider = new SQLServerColumnEncryptionAzureKeyVaultProvider(alwaysOnEncyrptionClientId, alwaysOnEncyrptionClientSecret);
	    Map<String, SQLServerColumnEncryptionKeyStoreProvider> keyStoreMap = new HashMap<>();
	    keyStoreMap.put(akvProvider.getName(), akvProvider);
	    SQLServerConnection.registerColumnEncryptionKeyStoreProviders(keyStoreMap);

@lilgreenbird
Copy link
Contributor

lilgreenbird commented Apr 2, 2020

hi all, as of the latest 8.3.0 preview release the driver added support for authentication to AKV using Managed Identity. Here is a wiki on how to use this feature. Please give this a try and let us know if you have any questions.

I'll close this feature request issue now if any questions or problems please open a new issue. Thanks..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Enhancement An enhancement to the driver. Lower priority than bugs.
Projects
None yet
Development

No branches or pull requests

5 participants