Installing the Vault EKM provider
This guide assumes you are installing the Vault EKM Provider for the first time. For upgrade instructions, see upgrading.
Prerequisites
- Vault Enterprise server 1.9+ with a license for the Advanced Data Protection Key Management module
- Microsoft Windows Server operating system
- Microsoft SQL Server 2012 or newer for Windows (Windows SQL Server Express and SQL Server for Linux does not support EKM)
- An authenticated Vault client
To check your Vault version and license, you can run:
The list of features should include "Key Management Transparent Data Encryption".
Installing the Vault EKM provider
Configuring Vault
The EKM provider requires AppRole auth and the Transit secret engine to be setup on the Vault server. The steps below can be used to configure Vault ready for the EKM provider to use it.
Note: rsa-2048 is currently the only supported key type.
Set up AppRole auth:
Note: After authenticating to Vault with the AppRole, the EKM provider will re-use the token it receives until it expires, at which point it will authenticate using the AppRole credentials again; it will not attempt to renew its token. The example AppRole configuraiton here will work for this, but keep that in mind if you choose to use a different AppRole configuration.
Retrieve the AppRole ID and secret ID for use later when configuring SQL Server:
Enable the transit secret engine and create a key:
Create a policy for the Vault EKM provider to use. The following policy has the minimum required permissions:
Configuring SQL server
The remaining steps are all run on the database server.
Install the EKM provider on the server
- Download and run the latest Vault EKM provider installer from releases.hashicorp.com
- Enter your Vault server's address when prompted and complete the installer
- If you need to configure non-default namespace or mount paths for your AppRole and Transit engines, see configuration.
Configure the EKM provider using SQL
Open Microsoft SQL Server Management Studio, and run the queries below to complete installation.
Enable the EKM feature and create a cryptographic provider using the folder you just installed the EKM provider into.
Next, create credentials for an admin to use EKM with your AppRole role and secret ID from above:
You can now create an asymmetric key using the transit key set up earlier:
Note: This is the first step at which the EKM provider will communicate with Vault. If Vault is misconfigured, this step is likely to fail. See troubleshooting for tips on specific error codes.
Create another login from the new asymmetric key:
Finally, you can enable TDE and protect the database encryption key with the asymmetric key managed by Vault's Transit secret engine:
Check the status of database encryption using the following queries:
Key rotation
See key rotation for guidance on rotating the encryption keys.