azure-docs
azure-docs copied to clipboard
MicrosoftDocs
SQL High availability with customer-managed TDE and Secondary Key Vault Purge protection issue
[Enter feedback here]
Issues in setting this up. High availability with customer-managed TDE
if someone accidently turns on Purge Protection for the Secondary vault you can not restore the keys if a key is rolled in the Primary vault.
And once purge Protect is enabled in the Secondary Vault then you no-longer have High availability with customer-managed TDE
Vault should have a flag to enable as a Secondary Vault so that it Disables the Purge Protection feature.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
- ID: ebc22d6d-6411-8b1f-6b0c-df0c6c0d4f41
- Version Independent ID: f34d4fa8-dc18-d2bb-a42f-bdea4329b118
- Content: Customer-managed transparent data encryption (TDE) - Azure SQL Database & Azure SQL Managed Instance & Azure Synapse Analytics
- Content Source: azure-sql/database/transparent-data-encryption-byok-overview.md
- Service: sql-db-mi
- Sub-service: security
- GitHub Login: @GithubMirek
- Microsoft Alias: mireks
@lostsole Thank you for the ask. Weare reviewing this and will get back shortly.
Thank you, Just had someone from the Client azure Admin Team Enable the Purge Protection on the all the Vaults and broke the Syncing, since we have to delete the keys from the Secondary vault and import, but sine Purge protection was enabled we could not delete from the Soft-deleted location, and restore the backup from the Primary. Not sure if there is a work around for this.
This is also This was not only for azure sql-db-mi also for the azure sql-db
This is an AKV behaviour. SQL is a consumer of the AKV service and follows it.
Correct, but As an SQL consumer with a primary AKV and 2nd AKV setup(per the doc), that if someone enables Purge Protection on the 2nd vault then it breaks everything, and then what is the point of having the 2nd AKV setup if you have to re-setup with a new name for the 2nd vault, because of Purge Protection. That is why I said if AKV knows that it is a 2nd Vault in the setup, for sql customer-managed keys to set it to disabled and not allow it to be enabled., only on the 2nd vault.
We are an AKV consumer and the AKV does not check the SQL setting or any other underlying service's setting, analyzing or reacting/preventing actions for the underlying service’s configuration. The best I can think of is to document it on SQL side somewhere in the limitations section.
Has anyone reached out to AKV and made this suggestion? (make the AKV service better)
We did document on our side to let everyone know not to change that setting to enable Purge Protection, but the Azure Windows defender or some other Azure report service that lets admins know you should enables Purge Protection on the vault and then they bypassed the document that stated not to enable on 2nd Vault.(other issue)
So this breaks the setup from this document from MS: https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql,
Which makes the 2nd vault not usable . As we don't feel like created and re-adding all the Keys to a new KV.
Also this comment in the link above: Both soft-delete and purge protection must be enabled on the key vault when configuring customer-managed TDE on a new or existing server or managed instance.
Unfortunately, as I mentioned previously SQL is completely disjoint from AKV that has no knowledge about SQL specific configurations such as primary/secondary server. AKV looks only for individual permissions allowing an underlying service to access a key. In our case such as a check if the managed identity setup for Azure SQL has the right permissions /get, wrap and unwrap/. Therefore there is nothing on the AKV side that can be done for SQL high availability. You mentioned "if someone accidently turns on Purge Protection for the Secondary vault you can not restore the keys if a key is rolled in the Primary vault"- It looks to me that this is an AKV issue. Feel free to create a support case and to check if this is a bug or by design.
The comment on “Both soft-delete and purge protection must be enabled on the key vault when configuring customer-managed TDE....”, is very important since in the past several customers accidently deleted a key and came back to us to provide an access to their database, which obviously we could not do it anymore and there was no way to access this data.
