Microsoft has announced that SQL Server 2022 CU18 and later, running on Azure Linux Virtual Machines, now supports Managed Identity for authenticating Azure Key Vault. This update addresses the long-standing need for a more secure and streamlined way to manage encryption keys. This update will make access to Azure Key Vault more secure.
As a bit of background, Managed Identity allows Azure services to authenticate without embedding credentials in code via Microsoft Entra ID. Azure Key Vault is a cloud service that lets you securely store and manage a range of data including cryptographic keys, secrets, and certificates.
One of the core benefits of this update is the simplification of the configuration of Transparent Data Encryption (TDE) for SQL databases. TDE is useful because it encrypts data at rest (on disk) within a database, giving you more security against unauthorized access to data files. TDE is able to protect data at rest thanks to real-time I/O encryption/decryption at the page level.
Now that Managed Identity for authenticating Azure Key Vault is here, users no longer provide a SECRET argument when creating credentials for TDE. This means it’s a more streamlined process and enhances security by removing the need to pass sensitive secrets.
This change applies to anyone with an Azure Linux VM with SQL Server 2022 CU18 (or later installed) and a user-assigned Managed Identity must be created and assigned to the Azure Linux VM. Finally, you must also have an Azure Key Vault set up with the necessary keys.
Microsoft says that the Managed Identity requires the Key Vault Crypto Service Encryption User role to perform key wrap and unwrap operations and that the mssql-conf tool is used to set the Managed Identity as the primary identity for the SQL Server instance on the Linux VM. To learn more, check out Microsoft’s setup guide in its announcement.