Keystore providers store the column master keys used for decrypting column encryption keys when using Always Encrypted. The driver currently supports the Windows Certificate Store and Azure Key Vault providers. Based on the encryption metadata received from the server, the driver dynamically determines which provider to use for encrypting parameters or decrypting data in result sets.
Windows Certificate Store
The Windows Certificate Store is a local repository of certificates available only on Windows platforms. When using this provider, the column master key is stored locally on the client machine, which reduces the need to make calls over a network. The driver does not require any additional configuration to use the Windows Certificate Store as a provider when Always Encrypted is enabled (ColumnEncryption=Enabled | ResultsetOnly).
Azure Key Vault
The Azure Key Vault is a certificate repository hosted on Azure platforms. This provider offers several advantages over the Windows Certificate Store, including the ability to access keys when the application is running on any platform. In addition, keys do not need to be copied to and cached on the local machine. However, unless the application is running on Azure, calls to the key vault must be made over a WAN, which can affect performance. To access the column master key, the principal ID and Client Secret must be used to authenticate against the Azure Key Vault. You can specify the principal ID and Client Secret using the following options:
Key Store Principal Id (AEKeystorePrincipalId): Specifies the principal ID used to authenticate against the Azure Key Vault. See "Key Store Principal Id" for a detailed description.
Key Store Secret (AEKeystoreClientSecret): Specifies the Client Secret used to authenticate against the Azure Key Vault. See "Key Store Secret" for a detailed description.