1

I would like to know if there is a way, and how to do it if possible, to decrypt Always Encrypted columns using Column Master Key(CMK) stored in Azure Key Vault using Entity Framework.
I followed the tutorial from: Microsoft Docs.

But they are not using EF. Also they mention that CMK is being stored in Azure Key Vault.

My main goal here is to encrypt some data in Azure DB, but allow users to see that data. (Example: credit-card numbers, SSN, etc.)
I have some data in DB already and I want to preserve it.

I don`t want to have to install Windows Certificates everywhere, because this would be a web app, so that is why I decided to go with Azure Key Vault option and if I understood correctly this is a way to go without changing much of the application.

Am I on the right path here?
Is this decryption possible?

Thanks

Community
  • 1
  • 1
Lazar Cvijovic
  • 95
  • 10

1 Answers1

0

Am I on the right path here?

You are on the correct Path !. Please proceed with your approach.

Is this decryption possible?

Absolutely yes, decryption is possible. You just need to establish the connection with SSMS as column encryption setting=enabled

Follow this tutorial to achieve your goal

Once you did with the steps mentioned above.

Step 1:

Login into SSMS as below-(Always use the latest SSMS)

enter image description here

Step 2

select the table which you need to decrypt(I.e, select * from users)

Login into your Microsoft Account (Assume you already have enough rights to AzureKeyVault though access policies)

enter image description here

P.S Just register your application in Azure AD and add the application into keyvault access policies if you want to decrypt from ASP.Net Application

For this the Connection string will also need to update

Data Source=server63; Initial Catalog=Clinic; Integrated Security=true; Column Encryption Setting=enabled
Jayendran
  • 9,638
  • 8
  • 60
  • 103
  • Thank you for the reply. If I understand correctly, using nuget libraries: 1.Microsoft.SqlServer.Management.AlwaysEncrypted.AzureKeyVaultProvider 2.Microsoft.IdentityModel.Clients.ActiveDirectory. And registering from my app like in the MS docs through those nuget libraries I can use Entity Framework to get the data? – Lazar Cvijovic Aug 30 '18 at 11:42
  • @LazarCvijovic Exactly you got it ! This is way for application to decrypt the data. For checking manually through SSMS you can easily add yourself into the access policies in AzureKeyVault – Jayendran Aug 30 '18 at 11:44
  • Thank you. I will mark your answer as a correct one. – Lazar Cvijovic Aug 30 '18 at 11:44
  • Not enough reputation, sorry :) – Lazar Cvijovic Aug 30 '18 at 12:57