sql azure 语法_如何在SQL 2016中使用Azure Key Vault使用AlwaysOn配置TDE数据库

sql azure 语法

One of the recent tasks I undertook on configuring Transparent Data encryption (TDE) using asymmetric key protection with Azure Key Vault with Always On opened a different dimension on securing data for me. Even though it seems slightly complex, if you have the key details, the steps are in fact, really straight forward.

我最近进行的一项任务是使用非对称密钥保护和Azure密钥保管库（始终启用）配置透明数据加密（TDE），这为我保护数据打开了一个新的维度。即使看起来有些复杂，但如果您具有关键的细节，步骤实际上是非常简单的。

I strongly recommend going through this MSDN article on SQL Server Transparent Data Encryption TDE using Azure Key Vault in order to understand Azure Key Vault configuration and Integration

我强烈建议使用Azure Key Vault阅读有关SQL Server透明数据加密TDE的 MSDN文章，以了解Azure Key Vault的配置和集成

背景 (Background)

In order to encrypt the database encryption key with an asymmetric key, use an asymmetric key that resides on an Extensible Key Management Provider. Extensible Key Management (EKM) is another new feature in SQL Server that adds the ability to store the encryption keys used for TDE on hardware, specifically designed for key security and management. Such devices are called High-Security Modules (HSM), whose vendors are referred to as EKM providers. A good Key Management Vendor should supply you with software libraries that easily add and implement Key Management in SQL Server encryption.

为了使用非对称密钥对数据库加密密钥进行加密，请使用驻留在可扩展密钥管理提供程序上的非对称密钥。可扩展密钥管理（EKM）是SQL Server的另一项新功能，增加了将用于TDE的加密密钥存储在硬件上的功能，该功能专门用于密钥安全性和管理。此类设备称为高安全性模块（HSM），其供应商称为EKM提供程序 。一个好的密钥管理供应商应该为您提供易于在SQL Server加密中添加和实现密钥管理的软件库。

In asymmetric encryption, two different keys are used: A public key for encrypting, and a private key for decrypting the data. This type of asymmetric encryption is referred to as Public Key Infrastructure (PKI)- or Public Key Cryptography-based encryption.

在非对称加密中，使用了两个不同的密钥：用于加密的公共密钥和用于解密数据的私有密钥 。这种类型的非对称加密称为基于公钥基础结构（PKI）或基于公钥密码学的加密。

Azure密钥保管库 (Azure Key Vault)

Azure Key Vault is a secure key management feature that is essential to secure and protect data in the Azure cloud. We use Azure Key Vault to encrypt keys and small secrets like passwords that use keys stored in hardware high-security modules (HSMs). For added assurance, import or generate keys in HSMs, and let Microsoft process your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware).

Azure Key Vault是一项安全密钥管理功能，对于保护和保护Azure云中的数据至关重要。我们使用Azure Key Vault加密密钥和小秘密，例如使用存储在硬件高安全性模块（HSM）中的密钥的密码。为了进一步确保安全，请在HSM中导入或生成密钥，然后让Microsoft在FIPS 140-2 2级经过验证的HSM（硬件和固件）中处理密钥。

介绍 (Introduction)

SQL Server running on an Azure Virtual Machine can use an asymmetric key from the Key Vault. When running SQL Server in an Azure VM, SQL Server can use keys stored in the Azure Key Vault using EKM. This article covers the role of a DBA in setting up SQL 2016 TDE database on Azure VM with Always On, using the Azure Key Vault. It also outlines the prerequisites and required details for seamless implementation of protecting the data using an asymmetric key.

在Azure虚拟机上运行SQL Server可以使用Key Vault中的非对称密钥。在Azure VM中运行SQL Server时，SQL Server可以使用EKM使用存储在Azure Key Vault中的密钥。本文介绍了DBA在使用Azure Key Vault使用Always On在Azure VM上设置SQL 2016 TDE数据库时的角色。它还概述了使用非对称密钥无缝实施保护数据的先决条件和所需的详细信息。

Let’s proceed, with the assumption that we have the necessary details from the Azure Key Manager such as:

让我们继续进行，假设我们具有来自Azure Key Manager的必要详细信息，例如：

KeyValutName KeyValutName
Active Directory Application Client ID Active Directory应用程序客户端ID
Active Directory Client Secret Active Directory客户端机密
Key Encryption Key Name (KEK) 密钥加密密钥名称（KEK）

Let’s also add another set of assumptions from the DBA side:

我们还从DBA方面添加另一组假设：

Always-On Availability Group site that is already configured 已配置的永远在线可用性组站点

For example,

例如，

Name	Description	Value
ResourceGroupName	Key Vault Resource Group Name	az-prod-sql-001
VaultName	Key Vault Name	az-kv-sql-001
AADApp	AAD Application Name	az-aadapp-kv-001
AADObjectID	Azure Active Directory Application Client ID	2db602bd-4x4x-4322-8xxf-d128c143c8a9
AADClientSecret	Active Directory Client Secret	FZCzXY3K8RpZoK12MxF/WFxxAw6aOxxPU2ix xEkQBbc=
Secret	The SECRET here is your AAD Client ID (with the hyphens removed) and your AAD Client Secret concatenated together	2db602bd4x4x43228xxfd128c143c8a9FZCz XY3K8RpZoK12MxF/WFxxAw6aOxxPU2ixxEkQBbc=
Key Encryption Key Name	Key Encryption Key Name (KEK)	az-kek-sql-001

名称	描述	值
ResourceGroupName	关键保管库资源组名称	az-prod-sql-001
仓库名称	关键保管库名称	az-kv-sql-001
AADApp	AAD申请名称	az-aadapp-kv-001
AADObjectID	Azure Active Directory应用程序客户端ID	2db602bd-4x4x-4322-8xxf-d128c143c8a9
AADClientSecret	Active Directory客户端机密	FZCzXY3K8RpZoK12MxF / WFxxAw6aOxxPU2ix xEkQBbc =
秘密	这里的SECRET是您的AAD客户端ID（已删除连字符）和您的AAD客户端密钥串联在一起	2db602bd4x4x43228xxfd128c143c8a9FZCz XY3K8RpZoK12MxF / WFxxAw6aOxxPU2ixxEkQBbc =
密钥加密键名	密钥加密密钥名称（KEK）	az-kek-sql-001

SQL Server连接器 (SQL Server Connector)

The SQL Server Connector for Microsoft Azure Key Vault enables SQL Server encryption to use the Azure Key Vault service as an Extensible Key Management (EKM) provider to protect SQL Server encryption keys.

用于Microsoft Azure密钥保管库的SQL Server连接器使SQL Server加密可以将Azure密钥保管库服务用作可扩展密钥管理（EKM）提供程序来保护SQL Server加密密钥。

Download the SQL Server Connector from the Microsoft Download Center, and follow the steps below to complete the installation.

从Microsoft下载中心下载SQL Server连接器，然后按照以下步骤完成安装。

Browse the installation folder 浏览安装文件夹
Next 下一步
the agree terms and license agreement同意条款和许可协议 radio button 单选按钮
Select the location for libraries to install 选择库的安装位置
Next and then, 下一步 ，然后单击Finish 完成

By default, the connector installs at C:\Program Files\SQL Server Connector for Microsoft Azure Key Vault. This location can be changed during setup. (If changed, adjust the scripts below.) The Connector is the cryptographic EKM provider DLL that needs to be registered with SQL Server by using the CREATE CRYPTOGRAPHIC PROVIDER statement.

默认情况下，该连接器安装在Microsoft Azure Key Vault的C：\ Program Files \ SQL Server连接器中。在安装过程中可以更改此位置。（如果更改，请调整下面的脚本。）连接器是加密的EKM提供程序DLL，需要使用CREATE CRYPTOGRAPHIC PROVIDER语句向SQL Server注册。

The SQL Server Connector installation also allows you to optionally download sample scripts to help with SQL Server encryption.

通过安装SQL Server连接器，您还可以选择下载示例脚本以帮助进行SQL Server加密。

配置SQL Server (Configure SQL Server)

In this section, we shall see how we could add a TDE-encrypted database to Always On Availability Group site that is already configured. Assume that we have configured the Always On Availability Group SQLAG2 that contains three replicas.

在本节中，我们将看到如何将TDE加密的数据库添加到已配置的Always On可用性组站点。假设我们已经配置了包含三个副本的Always On可用性组SQLAG2。

In the following screenshot, iServerReportingDB is going to be configure for TDE. Let’s see the steps to configure TDE and use of EKM on Always On setup.

在以下屏幕截图中，将为 TDE配置iServerReportingDB 。让我们看看在Always On设置上配置TDE和使用EKM的步骤。

On the Principal,

在校长上

Setup EKM 设置EKM
Setup Credentials 设置凭证
Configure TDE 配置TDE
Add database to Always On availability group 将数据库添加到Always On可用性组
Perform full database backup 执行完整的数据库备份
Perform log backup 执行日志备份

On the Secondary, the steps are a little different from the procedure above

在辅助服务器上，这些步骤与上述步骤略有不同

Create the database 创建数据库
Setup EKM 设置EKM
Setup credentials 设定凭证
Configure TDE 配置TDE
Restore the database with replace option 使用替换选项还原数据库
Restore the log 恢复日志
Join the database to Always On availability group 将数据库加入Always On可用性组

Let’s look at all of the above steps in detail and configure TDE with asymmetric key on the Availability Group using Azure Vault

让我们详细查看上述所有步骤，并使用Azure Vault在可用性组上使用非对称密钥配置TDE

Check the database’s encryption configuration

检查数据库的加密配置

SELECT d.name, dek.encryption_state
FROM
sys.dm_database_encryption_keys AS dek
JOIN sys.databases AS d
ON dek.database_id = d.database_id;

This indicates that no databases are configured for TDE.

这表明没有为TDE配置任何数据库。

Step 1: EKM Setup

步骤1：EKM设定

-- Enable advanced options.
USE master;
GO
sp_configure 'show advanced options', 1 ;
GO
RECONFIGURE ;
GO-- Enable EKM provider
sp_configure 'EKM provider enabled', 1 ;
GO
RECONFIGURE ;
GO

The below SQL query is used to create a cryptographic provider, using the SQL Server Connector which is an EKM provider for the Azure Key Vault. This example uses the name AzureKeyVault_EKM_Prov. Notice that the DLL location should be the taken from where you installed—this is the Connector path.

下面SQL查询用于使用SQL Server连接器（它是Azure密钥保管库的EKM提供程序）来创建加密提供程序。本示例使用名称AzureKeyVault_EKM_Prov。请注意，DLL位置应从安装位置获取-这是连接器路径。

CREATE CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM_Prov
FROM FILE = 'C:\Program Files\SQL Server Connector for Microsoft Azure Key Vault\Microsoft.AzureKeyVaultService.EKM.dll';
GO

STEP 2: Setup Credentials

步骤2：设定凭证

Create a credential from your Azure Active Directory Client ID and Secret that you can use to grant an SQL Server account access to your Azure key vault

根据您的Azure Active Directory客户端ID和密钥创建凭据，可用于授予SQL Server帐户对Azure密钥保管库的访问权限

IDENTITY here is the name of your Azure key vault.

IDENTITY是您的Azure密钥保管库的名称。
SECRET here is your AAD Client ID (with the hyphens removed) and your AAD Client Secret concatenated together

这里的秘密是您的AAD客户端ID （已删除连字符）和您的AAD客户端密钥串联在一起

USE master;CREATE CREDENTIAL sysadmin_ekm_cred WITH IDENTITY = 'hq-kv-sql-0001', SECRET ='2db602bd4x4x23452xxfd128c143c8a9FZCzXY3K8RpZoK12MxF/WFxxAw6aOxxPU2ixxEkQBbc='
FOR CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM_Prov

Add the credentials to the SQL Server administrator’s domain login.

将凭据添加到SQL Server管理员的域登录名中。

ALTER LOGIN [UU/ABCDF] ADD CREDENTIAL sysadmin_ekm_cred;

STEP 3: Create asymmetric Key and SQL Login

步骤3：创建非对称密钥和SQL登录

Use the EKM to open the asymmetric KEK 使用EKM打开非对称KEK
Key Encryption Key name 密钥加密密钥名称

USE [MASTER]-- Use the EKM to open the asymmetric KEK that was previously created in the Key VaultCREATE ASYMMETRIC KEY TDE_KEY -- Give the asymmetric KEK a name in SQL Server FROM PROVIDER AzureKeyVault_EKM_Prov WITHPROVIDER_KEY_NAME = 'hq-kek-sql-0001', -- The name of the asym-metric KEK in Azure Key VaultCREATION_DISPOSITION = OPEN_EXISTING -- To indicate

Step 4: Create SQL Server Login

步骤4：创建SQL Server登录

-- Create a SQL Server Login associated with the KEK for the Database engine
-- to use whenever it loads a database encrypted by TDE
CREATE LOGIN TDE_Login
FROM ASYMMETRIC KEY TDE_KEY ;
GO

-- Create a SQL credential for the SQL Server Database Engine to use to
-- access the Key Vault EKM during database load CREATE CREDENTIAL Azure_EKM_TDE_cred WITH IDENTITY = 'hq-kv-sql-0001', SECRET = '2db602bd4x4x34562xxfd128c143c8a9FZCzXY3K8RpZoK12MxF/WFxxAw6aOxxPU2ixxEkQBbc='
FOR CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM_Prov

-- Alter the TDE Login to add this Credential for use by the Database Engine
-- to access the Key VaultALTER LOGIN TDE_Login
ADD CREDENTIAL Azure_EKM_TDE_cred ;
GO

-- Create the database encryption key (DEK) that will be used for TDE.
-- The DEK can be created using any SQL Server supported Algorithm
-- or Key Length.
-- The DEK will be protected by the Asymmetric KEK in the Key Vault
USE iServerReportingDB;
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM  = AES_256
ENCRYPTION BY SERVER ASYMMETRIC KEY TDE_KEY;
GO

Enable TDE on SQL Database by Using Transact-SQL

使用Transact-SQL在SQL数据库上启用TDE

Connect to the master database

连接到主数据库

Execute the following SQL statement to encrypt the database

执行以下SQL语句对数据库进行加密

-- Alter the database to enable transparent data encryption.
-- This uses the asymmetric KEK you imported from Azure Key Vault to wrap your DEK.
ALTER DATABASE iServerReportingDB
SET ENCRYPTION ON ;
GO

Monitor the progress of encryption,

监视加密进度，

SELECT d.name, dek.encryption_state
FROM
sys.dm_database_encryption_keys AS dek
JOIN sys.databases AS d
ON dek.database_id = d.database_id;

STEP 5: Add Database to Always On Group

步骤5：将数据库添加到Always On组

On the primary, add the database to the Availability Group using ALTER AVAILABILITY GROUP … ADD DATABASE

在主数据库上，使用ALTER AVAILABILITY GROUP…ADD DATABASE将数据库添加到可用性组。

USE MASTER
GO
ALTER AVAILABILITY GROUP [AG-Name] ADD DATABASE iServerReportingDB

Backup the database (Full and Log backup)

备份数据库（完整和日志备份）

Initiate full and log backup on the primary replica using the following SQL statements:

使用以下SQL语句在主副本上启动完整备份并记录备份：

BACKUP DATABASE iServerReportingDB TO DISK ='\\hqdbsp18\f$\iServerReportingDB_FULL.bak' WITH STATS=10
BACKUP LOG iServerReportingDB TO DISK ='\\hqdbsp18\f$\iServerReportingDB_Log.trn' WITH STATS=10

On the secondary,

在中学，

Create the database iServerReportingDB 创建数据库iServerReportingDB
Move the database backup file to a location where Always On Replica #1 can restore the file 将数据库备份文件移动到始终在线副本1可以还原该文件的位置
Run steps 1 through 4 from the last section 从上一节开始执行步骤1至4
Repeat the process for each Always On Replica node 对每个“始终在线”副本节点重复该过程
Restore the full database backup

恢复完整的数据库备份
Restore the log database backup

恢复日志数据库备份
Join the database to the availability group using the ALTER AVAILABILITY GROUP T-SQL

使用ALTER AVAILABILITY GROUP T-SQL将数据库加入可用性组
```
Alter database iServerReporting SET HADR AVAILABILITY GROUP=[AG-Name]
```

AlwaysOn组状态 (The AlwaysOn Group status)

The below screenshot shows that iServerReportingDB is configured successfully with EKM provider, Azure Key vault.

下面的屏幕快照显示，已使用EKM提供程序Azure Key Vault成功配置了iServerReportingDB。

结论 (Conclusion)

In an Always-On-with-Azure-Key-Vault scenario, enabling TDE on one or more secondary replicas is indeed a tedious task. One has to get the help of Azure Key Manager to get all the required key information.

在“永远具有Azure密钥保管箱”方案中，在一个或多个辅助副本上启用TDE确实是一项繁琐的任务。必须获得Azure密钥管理器的帮助才能获取所有必需的密钥信息。

This article articulates every step required to setup and configure asymmetric TDE with Always On using Azure Key Vault. If you are able to configure the setup on Primary then similar steps should be applied to Secondary, with a few steps being different (which are also covered in this article). You will be performing a backup and adding the database to Availability Group in case of the former, whereas you would restore the database and join the database to the Availability Group in the latter: the secondary nodes.

本文阐述了使用Azure Key Vault使用Always On设置和配置不对称TDE所需的每个步骤。如果您能够在主要服务器上配置安装程序，则类似的步骤应应用于次要服务器，其中一些步骤有所不同（本文中也介绍了这些步骤）。如果是前者，则将执行备份并将数据库添加到可用性组，而如果是后者，则将还原数据库并将数据库加入到可用性组：辅助节点。

翻译自: https://www.sqlshack.com/configure-tde-database-alwayson-using-azure-key-vault-sql-server-2016/

sql azure 语法