-
Notifications
You must be signed in to change notification settings - Fork 116
Always Encrypted
- Documentation on configuring always encrypted on SQL Server using Windows certificate store
-
Documentation on configuring always encrypted on Azure SQL using Windows certificate store. You can follow up to "Create a client application that works with the encrypted data" skipping the "Create a table" step and instead let Django handle creating the tables by running
python manage.py migrate
.
After encrypting the columns change settings.py
to enable decryption. Put "extra_params": "ColumnEncryption=Enabled;"
in the OPTIONS
dictionary in the DATABASES
dictionary in settings.py
e.g.:
DATABASES = {
"default": {
"ENGINE": "mssql",
...
"OPTIONS": {
...
"extra_params": "ColumnEncryption=Enabled;"
},
},
}
Documentation on how to configure Always Encrypted using Azure Key Vault. You can follow up to "Create a client application that works with the encrypted data" skipping the "Create a table" step and instead let Django handle creating the tables by running python manage.py migrate
.
If the Always Encrypted wizard doesn't work you can manually add the Key Vault by right clicking Columns Master Keys folder found under the Security > Always Encrypted Keys in SSMS
and selecting New Column Master Key ..., changing Key store to Azure Key Vault and selecting the key to use. If you do it this way choose the key you added in the Select column master key dropdown instead of choosing Auto generate column master key in the Master Key Configuration section.
After encrypting the columns change settings.py
to enable decryption. Put "extra_params": "ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultClientSecret;KeyStorePrincipalId=XXXXX;KeyStoreSecret=YYYYY"
where XXXXX and YYYYY are the Application (client) ID and Client secret value in the OPTIONS
dictionary in the DATABASES
dictionary in settings.py
e.g.:
DATABASES = {
"default": {
"ENGINE": "mssql",
...
"OPTIONS": {
...
# Replace XXXXX and YYYYY with Application (client) ID and Client secret value respectively
"extra_params": "ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultClientSecret;KeyStorePrincipalId=XXXXX;KeyStoreSecret=YYYYY"
},
},
}
Follow the Microsoft documentation on how to configure Always Encrypted using Azure Key Vault to create a key vault and set up the encrypted columns. You can follow up to "Create a client application that works with the encrypted data" skipping the "Create a table" step and instead let Django handle creating the tables by running python manage.py migrate
.
On the VM download the ODBC Driver.
Follow the Microsoft docs on setting up system-assigned managed identity to access Azure SQL up to the "Access data" section.
Then execute EXEC sp_addrolemember N'db_owner', N'VMNAME'
in the database, replacing VMNAME
with the name of the VM.
Grant the VM access to the key vault by adding an access policy following the steps located in Microsoft's managed identities docs and give it the permissions listed in the Microsoft Configure Always Encrypted by using Azure Key Vault docs but try to not give it extra unneeded permissions.
Then in the DATABASES
dictionary in settings.py
add "extra_params": ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultManagedIdentity
in the OPTIONS
dictionary e.g.:
"default": {
"ENGINE": "mssql",
...
"OPTIONS": {
...
"extra_params": "ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultManagedIdentity",
},
},
Create an managed identity and assign it to a VM following the procedure outlined in the Microsoft docs.
Then follow the Microsoft docs on setting up system-assigned managed identity to access Azure SQL up to the "Access data"" section, replacing VMName
with the name of the managed identity's name.
Then execute EXEC sp_addrolemember N'db_owner', N'NameOfIdentity'
in the database, replacing NameOfIdentity
with the name of the managed identity you created.
Grant the VM access to the key vault by adding an access policy following the steps located in Microsoft's managed identities docs and give it the permissions listed in the Microsoft Configure Always Encrypted by using Azure Key Vault docs but try to not give it extra unneeded permissions.
Then in the DATABASES
dictionary in settings.py
add "extra_params": ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultManagedIdentity;KeyStorePrincipalId=XXXXX
where XXXXX is the principal id of the managed identity in the OPTIONS
dictionary e.g.:
"default": {
"ENGINE": "mssql",
...
"OPTIONS": {
...
# Replace the XXXXX with the user-assigned managed identity's principal id
"extra_params": "ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultManagedIdentity;KeyStorePrincipalId=XXXXX",
},
},
Username/password and AKV Interactive are unsupported at this time.