Skip to content

Key Vault authentication with Managed Identities

Jump to bottom
lilgreenbird edited this page Apr 2, 2020 · 4 revisions

Starting with JDBC Driver v8.3.0, the driver added support to authenticate to Azure Key Vaults using Managed Identities.

Always Encrypted is a security feature introduced in SQL Server 2016 to ensure the the data stored in a database remains encrypted at all times during SQL Server query processing. It allows clients to encrypt sensitive data, such as credit card numbers and national identification numbers, inside the client application and never reveal the encryption key to the database engine.

The JDBC Driver supports Always Encrypted as of version 6.0 (or higher) . Please see Using Always Encrypted with the JDBC driver for description on how to use Always Encrypted with the JDBC driver.

Azure Key Vault is a convenient option to store and manage column master keys for Always Encrypted. If the application is hosted in Azure, the user can use Managed Identities to authenticate to the Azure Key Vault, thus eliminating the need to provide and expose any credentials in the code.

For JDBC Driver 8.3.0 and later, the driver introduced the following connection properties:

ConnectionProperty Values
keyStoreAuthentication KeyVaultClientSecret KeyVaultManagedIdentity JavaKeyStorePassword
keyStorePrincipalId <Azure AD Application Client ID> <Azure AD Application object ID> (optional) n/a
keyStoreSecret <Azure AD Application Client Secret> n/a <secret/password for the Java Key Store>

The following examples show how the connection properties are used in a connection string.

Use Managed Identity to authenticate to AKV

"jdbc:sqlserver://<server>:<port>;columnEncryptionSetting=Enabled;keyStoreAuthentication=keyStoreManagedIdentity;"

Use Managed Identity and the principal ID to authenticate to AKV

"jdbc:sqlserver://<server>:<port>;columnEncryptionSetting=Enabled;keyStoreAuthentication=keyStoreManagedIdentity;keyStorePrincipal=<principalId>"

Use clientId and clientSecret to authentication to AKV

"jdbc:sqlserver://<server>:<port>;columnEncryptionSetting=Enabled;keyStoreAuthentication=keyStoreSecret;keyStorePrincipalId=<clientId>;keyStoreSecret=<clientSecret>"

Users are encouraged to use these connection properties to specify the type of authentication used for the Key Stores instead of using the SQLServerColumnEncryptionAzureKeyVaultProvider interface as this will be deprecated in a future release.

Note: Previously added connection properties keyVaultProviderClientId and keyVaultProviderClientKey are deprecated and replaced by the connection properties described above and will be removed in a future release.

For more information about using Azure Key Vaults, please see Azure Key Vault documentation.

For information on how to configure Managed Identities, please see Configure managed identities for Azure resources on a VM using the Azure portal.

Clone this wiki locally