| title | Extensible Key Management Using Azure Key Vault | ||||||
|---|---|---|---|---|---|---|---|
| description | Use the SQL Server Connector for Extensible Key Management with Azure Key Vault for SQL Server. | ||||||
| author | jaszymas | ||||||
| ms.author | jaszymas | ||||||
| ms.reviewer | vanto, randolphwest | ||||||
| ms.date | 10/06/2025 | ||||||
| ms.service | sql | ||||||
| ms.subservice | security | ||||||
| ms.topic | conceptual | ||||||
| ms.custom |
|
||||||
| helpviewer_keywords |
|
[!INCLUDE SQL Server]
The [!INCLUDE ssNoVersion] Connector for Azure Key Vault enables [!INCLUDE ssNoVersion] encryption to use the Azure Key Vault service as an Extensible Key Management (EKM) provider to protect [!INCLUDE ssNoVersion] encryption keys.
This article describes the [!INCLUDE ssNoVersion] connector. More information is available in:
- Set up SQL Server TDE Extensible Key Management by using Azure Key Vault
- Use SQL Server Connector with SQL Encryption Features
- SQL Server Connector Maintenance & Troubleshooting
[!INCLUDE ssNoVersion] provides several types of encryption that help protect sensitive data, including Transparent data encryption (TDE), Encrypt a Column of Data (CLE), and Backup encryption. In all of these cases, in this traditional key hierarchy, the data is encrypted using a symmetric data encryption key (DEK). The symmetric data encryption key is further protected by encrypting it with a hierarchy of keys stored in [!INCLUDE ssNoVersion].
Instead of this model, the alternative is the EKM Provider Model. Using the EKM provider architecture enables [!INCLUDE ssNoVersion] to protect the data encryption keys by using an asymmetric key stored outside of [!INCLUDE ssNoVersion] in an external cryptographic provider. This model adds an additional layer of security and separates the management of keys and data.
The following image compares the traditional service-manage key hierarchy with the Azure Key Vault system.
:::image type="content" source="media/ekm-key-hierarchy-traditional.png" alt-text="Diagram that compares the traditional service-manage key hierarchy with the Azure Key Vault system." lightbox="media/ekm-key-hierarchy-traditional.png":::
The [!INCLUDE ssNoVersion] Connector serves as a bridge between [!INCLUDE ssNoVersion] and Azure Key Vault, so [!INCLUDE ssNoVersion] can use the scalability, high performance, and high availability of the Azure Key Vault service. The following image represents how the key hierarchy works in the EKM provider architecture with Azure Key Vault and [!INCLUDE ssNoVersion] Connector.
Azure Key Vault can be used with [!INCLUDE ssNoVersion] installations on Azure Virtual Machines and for on-premises servers. The key vault service also provides the option to use tightly controlled and monitored Hardware Security Modules (HSMs) for a higher level of protection for asymmetric encryption keys. For more information about the key vault, see Azure Key Vault.
Note
Only Azure Key Vault and Azure Key Vault Managed HSM are supported. Azure Cloud HSM isn't supported.
The following image summarizes the process flow of EKM using the key vault. (The process step numbers in the image aren't meant to match the setup step numbers that follow the image.)
:::image type="content" source="media/ekm-using-azure-key-vault.png" alt-text="Screenshot of SQL Server EKM using the Azure Key Vault." lightbox="media/ekm-using-azure-key-vault.png":::
Note
Versions 1.0.0.440 and older are no longer supported in production environments. Upgrade to version 1.0.1.0 or a later version by visiting the Microsoft Download Center and using the instructions on the SQL Server Connector Maintenance & Troubleshooting page under "Upgrade of SQL Server Connector."
For the next step, see Set up SQL Server TDE Extensible Key Management by using Azure Key Vault.
For use scenarios, see Use SQL Server Connector with SQL Encryption Features.