Using keystore providers

Keystore providers securely store the column master keys used for decrypting the column encryption keys employed by Always Encrypted functionality. The driver requires that a keystore provider be used when always encrypted is enabled (ColumnEncryption=Enabled | ResultsetOnly). The following section describes how to configure the driver to use the supported keystore providers.

The Azure Key Vault is a certificate repository hosted on Azure platforms. Using Azure Key Vault offers several advantages, including the ability for applications on any platform to access keys. In addition, since the keys are centrally stored, they do not need to be copied to and cached on a local machine. However, unless your application is running on Azure, calls to the key vault must be made over a WAN, which can negatively impact performance. To use Azure Key Vault, values for the following properties must be provided:

AEKeystorePrincipalId: Specifies the principal ID for the Azure Key Vault. The principal ID is the Application ID created during Azure App Registration. See "KeyStorePrincipalId" for a detailed description.

AEKeystoreClientSecret: Specifies the Client Secret used to access the Azure Key Vault. See "AEKeystoreClientSecret" for a detailed description.

Java Keystore is a repository of certificates for Java platforms. Similar to Azure Key Vault, the column master key is stored centrally, which means keys do not need to be cached on local machines. However, unlike Azure Key Vault, access to the Java Keystore is limited to applications running on Java platforms. To use Java Keystore, values for the following properties must be provided:

AEKeystoreLocation: Specifies the absolute path to the Java KeyStore file. See "AEKeystoreLocation" for details.

AEKeystoreSecret: Specifies the password used to access the Java KeyStore file. See "AEKeystoreSecret" for details.