Microsoft released an updated version of the SQL Server Connector for Microsoft Azure Key Vault on 26/2/2018 (version 15.0.300.96) which seemed to be unable to connect to the Key Vault on existing or new SQL Servers.
Typically you run this first step in creating the Asymmetric Key
CREATE ASYMMETRIC KEY SAM_TDE FROM PROVIDER [AzureKeyVault_EKM_Prov] with PROVIDER_KEY_NAME = 'SAM_TDE', CREATION_DISPOSITION = OPEN_EXISTING GO
With the latest version of the SQL Connector you get the following error message
Msg 33049, Level 16, State 2, Line 54 Key with name 'SAM_TDE' does not exist in the provider or access is denied. Provider error code: 2058. (Provider Error - No explanation is available, consult EKM Provider for details)
Not very descriptive is it? If you check the Application logs in Event Viewer you should see an Event ID 2 for the Key with the following details:
Operation: SQLCryptGetKeyInfoByName
Message: Error when accessing registry:5
What causes this?
Well it turns out there is a new undocumented requirement for a registry key. The only problem is neither the SQL connector installer nor the connector DLL or SQL Server has the rights to create it!
To fix this do the following:
- In the registry, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
- Create a new Key called SQL Server Cryptographic Provider
- Give Full Control permissions to this key to the Windows service account that runs SQL Server
- Try the operation again and it should work
If you check back in that registry key after creating the Asymmetric key, you should see a registry entry for the key vault name.
So far I haven’t seen this documented anywhere online, Azure support was able to provide these details. Hopefully this helps for those that encounter the same issue.