1

I'm trying to create an ARM template which can deploy a SQL Enterprise VM in Azure with Transparent Data Encryption (TDE), utilizing Key Vault as the EKM.

I've found examples of how to enable TDE through Key Vault including the 101 SQL KeyVault template and SQL ARM Provision but in both instances they only require the Key Vault URL and access credentials (AppID and Secret).

Being as no existing secret URL is supplied, this seems to imply that the asymmetric key residing in the EKM (Key Vault) will be created by the deployment process which, according to Microsoft's Security Note, is bad practice for Production workloads being as the key can never be exported.

Given the above, I'm attempting to point SQL to an existing asymmetric key I've imported into Key Vault as a pfx file, but I can't seem to find any documentation on how to reference this when it comes to creating the VM via an ARM template. If anyone knows whether this is possible, instead of having to do a number of manual steps via PowerShell and/or T-SQL once the VM's been created, I'd be very grateful.

Harish
  • 789
  • 1
  • 7
  • 21
AndyHerb
  • 670
  • 9
  • 27
  • Unless I'm mistaken, Resource Explorer only shows what's actually running, therefore it won't show me what could be set up :( – AndyHerb Feb 29 '16 at 08:57
  • Don't worry - it's easily done! – AndyHerb Feb 29 '16 at 09:11
  • In the same vein though, if you configure an Azure SQL server with TDE via Key Vault, maybe Resource Manager will give some pointers on how to bring that out into a VM – Michael B Feb 29 '16 at 09:15
  • There's plenty of documentation on how get it working within a VM using Key Vault as the EKM, but it's all based around the asymmetric key being created in Key Vault by the creation process, which is a VERY bad idea for Production workloads. I could do with a way of seeing what settings you could provide, rather than what I have provided – AndyHerb Feb 29 '16 at 09:18
  • This is a common problem with Azure documentation, it is difficult to find information on alternative use cases. If you put the URL of your uiploaded certificate into `AzureKeyVaultUrl` in the template, what does it do? Is there an error? – Michael B Feb 29 '16 at 09:33

2 Answers2

0

As a small prewarning, this isn't something I've used, so far it was just from having a read through the source, I'll likely try it at some point soon, but this might help along the way.

Looking at the files for the Commit that added keyvault to the Azure SQL Extension the part that templates interact with appears to be the part that the Template configures

This is also the part that the Azure SQL VM Powershell commands interact with, which also feed into the same parts.

If you can configure it from Powershell through that extension then it should also be possible to do so through templates.

Michael B
  • 11,887
  • 6
  • 38
  • 74
  • Thanks for that detailed response, unfortunately it confirms my feeling that it **can't** be done via an ARM Template, or PowerShell, directly. The [KeyVault](https://github.com/Azure/azure-powershell/commit/10abbe7250993d56627840ceb42f4ebf332fd06f) commit specifically says _The user would provide the key vault url, principal name and secret and the SQL credential name_ and there seems to be no way for PS or an ARM Template to pass in an existing Secret from Key Vault. It looks like I might be doing this via a CustomScript extension :( – AndyHerb Feb 29 '16 at 11:00
  • @AndyHerb Have you tried putting the URL of the secret into the `AzureKeyVaultUrl` It doesn't strike me as being only capable of a new Key Vault. – Michael B Mar 01 '16 at 00:00
  • The SQL Server Connector for Microsoft Azure KEy Vault is capable of using a pre-existing asymmetric key, but the extension/ARM Template functionality doesn't seem to expose that to date. – AndyHerb Mar 01 '16 at 11:23
  • Is it possible to configure "Azure SQL" with EKM and Azure Key Vault to handle cell level encryption? – Lalit Jul 04 '18 at 18:04
  • @Lalit that probably needs its own question to cover properly – Michael B Jul 04 '18 at 18:55
0

Microsoft have confirmed that it's not currently possible to configure end-to-end EKM via Key Vault using an ARM template alone. The vast majority of it has to be achieved via PowerShell and/or T-SQL. An ARM template can be used to create a Key Vault, but you're not currently able to configure Azure AD Apps (required to authenticate to Key Vault) at present, neither can you add the asymmetric certificate required for TDE into a Key Vault Key.

AndyHerb
  • 670
  • 9
  • 27