How often does SQL Server contact the Azure Key Vault for a Certificate or Key?

Wallace, Glenn 0 Reputation points
2024-09-13T14:14:38.8433333+00:00

I would like to use Azure Key Vault rather than Windows Store to store my SQL Server TDE Certificates/Keys, Server Certificates, and Always Encrypted Keys. However, I want to know how often the server connects to Azure Key Vault and polls the keys and certificates. What triggers the server to attempt to poll the key/certificate from the vault? Also, what happens if the connection between the key vault and the server is interrupted?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,314 questions
Azure SQL Database
SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,998 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sina Salam 12,011 Reputation points
    2024-09-14T03:21:38.9166667+00:00

    Hello Wallace, Glenn,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you are interested in using Azure Key Vault rather than Windows Store to store my Azure SQL Server / on-prem Server TDE Certificates/Keys, Server Certificates, and Always Encrypted Keys.

    Using Azure Key Vault is a best practice, and cache secrets in your application and implementation of exponential back-off retry logic to handle scenarios when service limits are exceeded is a solution architect secret for consistency.

    Now, to answers your questions use the following link to see how you can enhance your data security and digital trust in the cloud using Azure services such as Azure Key Vault. https://techcommunity.microsoft.com/t5/microsoft-developer-community/enhancing-data-security-and-digital-trust-in-the-cloud-using/ba-p/4234937

    I want to know how often the server connects to Azure Key Vault and polls the keys and certificates.

    The connection frequency between Azure SQL Server or on-premises SQL server connects to Azure Key Vault occur only when it needs to access a key or certificate especially, during operations like encryption, decryption, or signing.

    What triggers the server to attempt to poll the key/certificate from the vault?

    The triggers happen whenever a new session starts that requires the key, when an operation is performed that needs the key, such as encrypting or decrypting data from an application or access, and when the key or certificate is accessed for the first time after a server restart.

    Also, what happens if the connection between the key vault and the server is interrupted?

    Whenever the connection between the key vault and the server is interrupted, SQL Server caches the keys and certificates for a short period to mitigate temporary connectivity issues and if there is an operation failure and the connection is not restored and the cached keys expire, operations requiring the keys will fail until the connection is re-established.

    For best practices, read more info here - https://learn.microsoft.com/en-us/azure/key-vault/secrets/secrets-best-practices

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.