In Level 3 of this stairway series, we have seen how to configure TDE in SQL Server with the asymmetric keys stored outside of the SQL Server in Azure Key Vault, thereby imposing additional security. SQL Server Connector for Microsoft Azure Key Vault bridges SQL server and Microsoft Azure EKM Provider. The cryptographic provider DLL gets installed as part of the SQL Server Connector installation. The cryptographic provider DLL is the one that allows SQL Server to connect with Azure Key Vault. An asymmetric key was created using the Cryptographic provider and the Azure key. The version of SQL Server Connector we used in Level 3 was version 1.0.4. Microsoft has released an updated version which is 1.0.5.
This article explains the steps to upgrade the SQL Server Connector for Microsoft Azure Key Vault from 1.0.4 to 1.0.5.
Current Setup Before the Upgrade
Currently, the default instance of SQL Server is hosted on workstation DESKTOP-UJQKUQK, configured with Transparent Data Encryption (TDE) utilizing Azure Key Vault version 1.0.4.
Run the below TSQL query in SSMS to get the current cryptographic provider version
SELECT name,version,dll_path from sys.cryptographic_providers
Below image shows the details of the current cryptographic provider version for the Azure key vault.
To verify the accessibility of the database under the current TDE setup (version 1.0.4), we executed a select command to retrieve records from the Employee table within the TDETesting database. The successful return of data confirms that both the database and table are accessible for operations as shown in the below image.
We will verify the same verification step after the SQL Connector upgrade as well.
Upgrade Steps
Download the latest 'SQL Server Connector for Microsoft Azure Key Vault' from Microsoft site as shown below.
Run the installer which pops up the below window. Click Next.
Click on Install button
Click on finish button
Upon the installation completion, the 1.0.5 SQL Server connector gets downloaded to the folder C:\Program Files\SQL Server Connector for Microsoft Azure Key Vault in the workstation.
The next step is to restart the SQL Server services from SQL Configuration Manager. Connect to the SQL Server Configuration Manager, right click on the SQL Server instance and click on restart button as shown below.
It is advisable to stop the application during the upgrade process. This ensures that connections are terminated, which is necessary for disabling the provider as part of the SQL connector upgrade.
Now, Open the SSMS in the workstation and execute the below script to disable the current cryptographic provider AzureKeyVault_EKM_Prov.
ALTER CRYPTOGRAPHIC PROVIDER [AzureKeyVault_EKM_Prov] DISABLE;
Update the cryptographic provider path to the new location where we downloaded the SQL Server Connector DLL file, using the script provided below.
ALTER CRYPTOGRAPHIC PROVIDER [AzureKeyVault_EKM_Prov] FROM FILE = 'C:\Program Files\SQL Server Connector for Microsoft Azure Key Vault\Microsoft.AzureKeyVaultService.EKM.dll'
Output of the script execution is as follows.
Now, enable the cyptographic provider using the below script
ALTER CRYPTOGRAPHIC PROVIDER [AzureKeyVault_EKM_Prov] ENABLE;
Output of script execution is shown below
We have completed the upgrade of the Azure cryptographic provider for TDE from version 1.0.4 to 1.0.5
Verification
In order to verify the version change, execute the below script to check the SQL Connector version.
SELECT name,version,dll_path from sys.cryptographic_providers
Output of the script execution shown below. We can observe that the version got changed from 1.0.4 to 1.0.5 looking at the version column of the output.
Verify the Database Accessibility
To confirm that data can be retrieved from the Employee table in the TDETesting database, execute the query below. This will demonstrate the ability to query the specified table for verification purposes.
