How to implement AlwaysEncrypted AzureKeyVaultProvider 3.0.0 in Asp.Core application

Question

I have a web application in C# ASP.NET Core 3.0 with a database in Azure in code first with Entity Framework Core. I need to encrypt some sensible data in it.

I have managed to implement an Azure Key Vault always encrypted system for my application and database but only with Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider v1.1.1.

I would like to implement the 3.0.0 version in order to stay in touch about the latest encryption system, but I'm not able to find any example to work with this version.

Here is my actual code - Program.cs:

 public static IHostBuilder CreateHostBuilder(string[] args) =>
            Host.CreateDefaultBuilder(args)
                .ConfigureAppConfiguration((context, config) =>
                {
                    var keyVaultEndpoint = GetKeyVaultEndpoint();
                    if (!string.IsNullOrEmpty(keyVaultEndpoint))
                    {
                        var azureServiceTokenProvider = new AzureServiceTokenProvider();
                        var keyVaultClient = new KeyVaultClient(
                            new KeyVaultClient.AuthenticationCallback(
                                azureServiceTokenProvider.KeyVaultTokenCallback));
                        config.AddAzureKeyVault(keyVaultEndpoint, keyVaultClient, new DefaultKeyVaultSecretManager());
                        SqlColumnEncryptionAzureKeyVaultProvider sqlColumnEncryptionAzureKeyVaultProvider = new SqlColumnEncryptionAzureKeyVaultProvider(new KeyVaultClient.AuthenticationCallback(
                                azureServiceTokenProvider.KeyVaultTokenCallback));
                        SqlConnection.RegisterColumnEncryptionKeyStoreProviders(customProviders: new Dictionary<string, SqlColumnEncryptionKeyStoreProvider>(capacity: 1, comparer: StringComparer.OrdinalIgnoreCase)
                 {
                     {
                         SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, sqlColumnEncryptionAzureKeyVaultProvider
                     }
                 });
                    }
                })
                .ConfigureWebHostDefaults(webBuilder =>
                {
                    webBuilder.UseStartup<Startup>();
                });


        private static string GetKeyVaultEndpoint() => "https://.........azure.net/";

I have configured my DB Columns to be encrypted with my azure Keyvault and set Column Encryption Setting=enabled in my connection string.

Everything work well but if I update the Nuget, then the following method is in error.

new SqlColumnEncryptionAzureKeyVaultProvider(new KeyVaultClient.AuthenticationCallback(
                                azureServiceTokenProvider.KeyVaultTokenCallback));

The error is something like: cannot convert from method group to tokencredential

Is there any documentation or code example somewhere to implement the 3.0.0 version in an asp.Core 3.0 Code first environment?

Thanks in advance.

Answer 1

Unfortunatly I was not able to make it work. I'm certainly confused with the parameters: static readonly string s_akvUrl = "https://{KeyVaultName}.vault.azure.net/keys/{Key}/{KeyIdentifier}"; static readonly string s_clientId = "{Application_Client_ID}"; static readonly string s_clientSecret = "{Application_Client_Secret}";

I Only have https://{KeyVaultName}.vault.azure.net, I don't know what Key and KeyIdentifier mean. Same for clientId and client Secret. I tried to put the secret key generated from in the KeyVault and the clientID the one of my web application, but it seems that I Can't get my token