Provision enclave-enabled keys

適用於： SQL Server 2019 (15.x) 與更新版本 - 僅限 Windows Azure SQL 資料庫

This article describes how to provision enclave-enabled keys that support computations inside server-side secure enclaves used for Always Encrypted with secure enclaves.

The general guidelines and processes for managing Always Encrypted keys apply when you provision enclave-enabled keys. 本文探討與 Always Encrypted 和安全區域相關的詳細資料。

若要使用 SQL Server Management Studio 或 PowerShell 佈建支援安全區域的資料行主金鑰，請確認新的金鑰支援安全區域計算。 This will cause the tool (SSMS or PowerShell) to generate the CREATE COLUMN MASTER KEY statement that sets the ENCLAVE_COMPUTATIONS in the columns master key metadata in the database. 如需詳細資訊，請參閱 CREATE COLUMN MASTER KEY (Transact-SQL)。

工具也會使用資料行主要金鑰對資料行主要屬性進行數位簽署，並會將簽章儲存在資料庫中繼資料內。 簽章能防止 ENCLAVE_COMPUTATIONS 設定被惡意竄改。 SQL 用戶端驅動程式會在允許使用安全區域之前先驗證簽章。 This provides security administrators with control over which column data can be computed inside the enclave.

ENCLAVE_COMPUTATIONS 是固定的，這表示您在中繼資料中定義資料行主要金鑰後，便無法進行變更。 To enable enclave computations using a column encryption key, that a given column master key encrypts, you need to rotate the column master key and replace it with an enclave-enabled column master key. See Rotate enclave-enabled keys.

Note

Currently, both SSMS and PowerShell support enclave-enabled column master keys stored in Azure Key Vault or Windows Certificate Store. 不支援硬體安全性模組 (使用 CNG 或 CAPI)。

若要建立已啟用記憶體保護區的資料行加密金鑰，您需要確認您選取已啟用記憶體保護區的資料行主要金鑰來加密新金鑰。

下列各節提供詳細資料，說明如何使用 SSMS 和 PowerShell 來佈建已啟用記憶體保護區的金鑰。

Provision enclave-enabled keys using SQL Server Management Studio

您可在 SQL Server Management Studio 中佈建：

• An enclave-enabled column master key using the New Column Master Key dialog.
• An enclave-enabled column encryption key using the New Column Encryption Key dialog.

The Always Encrypted Wizard also allows you to create an enclave-enabled column master key and an enclave-enabled column encryption key.

確定您已安裝最新正式發行 (GA) 版的 SQL Server Management Studio (SSMS)。

Provision enclave-enabled column master keys with the New Column Master Key dialog

若要佈建啟用封裝功能的資料行主金鑰，請按照使用 [新增資料行主金鑰] 對話方塊來佈建資料行主金鑰中的步驟進行操作。 請確認選取允許區塊計算。 請參閱以下的螢幕擷取畫面：

Note

只有當資料庫設定有安全記憶體保護區時，才會出現 [允許記憶體保護區計算] 核取方塊。 如果您正在使用 SQL Server，請參閱在 SQL Server 中設定安全記憶體保護區。 如果您正在使用 Azure SQL Database，請參閱為 Azure SQL Database 啟用 Always Encrypted 及安全區域。

Tip

若要檢查特定欄位主索引鍵是否支持 enclaving 功能，請在 [物件總管] 中以滑鼠右鍵按一下該欄位主索引鍵，並選取[屬性]。 若金鑰已啟用加密區，視窗中便會出現 [加密區計算: 允許]，此顯示金鑰的屬性。 或者，您可以使用 sys.column_master_keys （Transact-SQL） 檢視。

Provision enclave-enabled column encryption keys with the New Column Encryption Key dialog

To provision an enclave-enabled column encryption key, follow the steps in Provision Column Encryption Keys with the New Column Encryption Key Dialog. When selecting a column master key, make sure it is enclave-enabled.

Tip

若要檢查資料行加密金鑰是否已啟用禁區功能，請在 [物件總管] 中以滑鼠右鍵按一下該資料行加密金鑰，並選取 [屬性]。 若金鑰已啟用加密區，視窗中便會出現 [加密區計算: 允許]，此顯示金鑰的屬性。

使用 PowerShell 配置啟用安全區域的金鑰

若要使用 PowerShell 佈建啟用記憶體保護區的金鑰，則需要有 SqlServer PowerShell 模組版本 22 或更高版本。

一般而言，使用 PowerShell 佈建 Always Encrypted 金鑰中所描述 PowerShell 的 Always Encrypted 金鑰佈建工作流程 (搭配或不搭配角色隔離)，其也適用於已啟用記憶體保護區的金鑰。 本節描述與加密區啟用的金鑰相關的特定詳細資料。

The SqlServer PowerShell module extends the New-SqlCertificateStoreColumnMasterKeySettings and New-SqlAzureKeyVaultColumnMasterKeySettings cmdlets with the -AllowEnclaveComputations parameter to allow you to specify a column master key that is enclave-enabled during the provisioning process. Either cmdlet creates a local object containing properties of a column master key (stored in Azure Key Vault or in the Windows Certificate Store). If specified, the -AllowEnclaveComputations property marks the key as enclave-enabled in the local object. It also causes the cmdlet to access the referenced column master key (in Azure Key Vault or in Windows Certificate Store) to digitally sign the properties of the key. Once you create a settings object for a new enclave-enabled column master key, you can use it in a subsequent invocation of the New-SqlColumnMasterKey cmdlet to create a metadata object describing the new key in the database.

佈建已啟用記憶體保護區資料行加密金鑰的過程，與佈建未啟用記憶體保護區資料行加密金鑰的過程沒有任何不同。 You just need to make sure that a column master key used to encrypt the new column encryption key is enclave-enabled.

Note

The SqlServer PowerShell module does not currently support provisioning enclave-enabled keys stored in hardware security modules (using CNG or CAPI).

Example - provision enclave-enabled keys using Windows Certificate Store

以下的端對端範例展示如何配置已啟用 enclave 的金鑰，並將資料欄主金鑰儲存在 Windows 憑證存放區中。 指令碼是以不使用角色隔離的 Windows 憑證存放區 (範例) 中範例為基礎。 值得注意的是在 -AllowEnclaveComputations Cmdlet 中使用了 參數，這是兩個範例中工作流程的唯一差異。

# Create a column master key in Windows Certificate Store.
$cert = New-SelfSignedCertificate -Subject "AlwaysEncryptedCert" -CertStoreLocation Cert:CurrentUser\My -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage DataEncipherment -KeySpec KeyExchange

# Import the SqlServer module.
Import-Module "SqlServer" -MinimumVersion 22.0.50

# Connect to your database.
$serverName = "<server name>"
$databaseName = "<database name>"
# Change the authentication method in the connection string, if needed.
$connStr = "Server = " + $serverName + "; Database = " + $databaseName + "; Integrated Security = True; TrustServerCertificate = True"
$database = Get-SqlDatabase -ConnectionString $connStr

# Create a SqlColumnMasterKeySettings object for your column master key
# using the -AllowEnclaveComputations parameter.
$cmkSettings = New-SqlCertificateStoreColumnMasterKeySettings -CertificateStoreLocation "CurrentUser" -Thumbprint $cert.Thumbprint -AllowEnclaveComputations

# Create column master key metadata in the database.
$cmkName = "CMK1"
New-SqlColumnMasterKey -Name $cmkName -InputObject $database -ColumnMasterKeySettings $cmkSettings

# Generate a column encryption key, encrypt it with the column master key and create column encryption key metadata in the database. 
$cekName = "CEK1"
New-SqlColumnEncryptionKey -Name $cekName  -InputObject $database -ColumnMasterKey $cmkName

Example - provision enclave-enabled keys using Azure Key Vault

The below end-to-end example shows how to provision enclave-enabled keys, storing the column master key in a key vault in Azure Key Vault. 指令碼是以不使用角色隔離的 Azure Key Vault (範例) 中範例為基礎。 請務必注意已啟用記憶體保護區金鑰與未啟用記憶體保護區金鑰工作流程之間的兩項差異。

• 在以下指令碼中，New-SqlCertificateStoreColumnMasterKeySettings 使用 -AllowEnclaveComputations 參數來讓新資料行主要金鑰啟用安全區域功能。
• 以下指令碼使用 Get-AzAccessToken Cmdlet 來取得金鑰保存庫的存取權杖。 這是必要的，因為 New-SqlAzureKeyVaultColumnMasterKeySettings 需要有權存取 Azure Key Vault 才能簽署資料行主要金鑰的屬性。

# Create a column master key in Azure Key Vault.
Import-Module "SqlServer" -MinimumVersion 22.0.50
Import-Module Az.Accounts -MinimumVersion 2.2.0
Connect-AzAccount
$SubscriptionId = "<Azure SubscriptionId>"
$resourceGroup = "<resource group name>"
$azureLocation = "<datacenter location>"
$akvName = "<key vault name>"
$akvKeyName = "<key name>"
$azureCtx = Set-AzConteXt -SubscriptionId $SubscriptionId # Sets the context for the below cmdlets to the specified subscription.
New-AzResourceGroup -Name $resourceGroup -Location $azureLocation # Creates a new resource group - skip, if your desired group already exists.
New-AzKeyVault -VaultName $akvName -ResourceGroupName $resourceGroup -Location $azureLocation # Creates a new key vault - skip if your vault already exists.
Set-AzKeyVaultAccessPolicy -VaultName $akvName -ResourceGroupName $resourceGroup -PermissionsToKeys get, create, delete, list, wrapKey,unwrapKey, sign, verify -UserPrincipalName $azureCtx.Account
$akvKey = Add-AzKeyVaultKey -VaultName $akvName -Name $akvKeyName -Destination "Software"

# Connect to your database.
$serverName = "<server name>"
$databaseName = "<database name>"
# Change the authentication method in the connection string, if needed.
$connStr = "Server = " + $serverName + "; Database = " + $databaseName + "; Integrated Security = True; TrustServerCertificate = True"
$database = Get-SqlDatabase -ConnectionString $connStr

# Obtain an access token for key vaults.
$keyVaultAccessToken = (Get-AzAccessToken -ResourceUrl https://vault.azure.net).Token 

# Create a SqlColumnMasterKeySettings object for your column master key. 
$cmkSettings = New-SqlAzureKeyVaultColumnMasterKeySettings -KeyURL $akvKey.ID -AllowEnclaveComputations -KeyVaultAccessToken $keyVaultAccessToken

# Create column master key metadata in the database.
$cmkName = "CMK1"
New-SqlColumnMasterKey -Name $cmkName -InputObject $database -ColumnMasterKeySettings $cmkSettings

# Generate a column encryption key, encrypt it with the column master key and create column encryption key metadata in the database. 
$cekName = "CEK1"
New-SqlColumnEncryptionKey -Name $cekName -InputObject $database -ColumnMasterKey $cmkName -KeyVaultAccessToken $keyVaultAccessToken

下一步

• 使用安全記憶體保護區執行 Transact-SQL 陳述式
• Configure column encryption in-place using Always Encrypted with secure enclaves
• Enable Always Encrypted with secure enclaves for existing encrypted columns
• 使用具有安全執行環境的 Always Encrypted 開發應用程式

另請參閱

• 開始使用具有安全區域的 Always Encrypted
• 管理 Always Encrypted 的金鑰與安全區域
• CREATE COLUMN MASTER KEY (Transact-SQL)