Create Azure Key Vault and create a key that will be used for SQL Server TDE key protection.
Before set up a Azure AD Service Principal, open notepad and copy following text and paste it into the notepad.
AppID:
ObjID:
spKey:
KeyVaultURL:
-
Search Azure Active and click the service
-
Select 'App registration'
-
Click '+ New application registration'
-
Type name and sign-on URL.
Name Application Type Sign-on URL securityworkshop### Web app / API http://contosoworkshop###.com Note: Please replace ### into random 3 digit.
Click to finish the application registration.
-
Click your application
-
Copy Applicatoin ID and Object ID and paste them to your notepad
-
To create a key, click the 'Keys'
-
Type descriotion and select expires as 'In 1 year' and click 'Save'
-
When a key is saved, you'll see password on the screen. Copy the vaule and paste it to your notepad.
-
When application registration is done, please make sure you have AppID, ObjID and the password vaule on your note.
-
Click '+ New' and search Key Vault. And click "Create'
-
Type new key vault name and select your resource group.
Name Subscription Resource Group Location Pricing tier Access policies safevault### yoursubscription workshop-### west us Standard 1 principal selected -
Click 'Access policies' and click '+ Add new'
-
Select 'Key, Secret, & Certificate Management'
-
Click 'Select principal'. And then search 'securityworkshop###' and click service principal fomr the result.
-
Check cryptographic operation 'Decrypt', 'Encrypt', 'Unwrap Key', 'Wrap Key', 'Verify' and 'Sign'.
-
Click 'OK'
-
Click 'Create'
-
When a Key Vault is created, copy Key Vault DNS Name and paste it to your note.
Your note should have all four vaules like following.
-
Click 'Keys' and then click '+ Add'
-
Type name to create an new key. Please name it as 'securityworkshopkey'. And then click 'Create'