Mega Amazon Sale! Don't Miss Out on Exclusive Deals! Shop Now

Provision Always Encrypted Keys Using PowerShell

11/06/2023 12:00 AM by Shivendra in Azure

Provision Always Encrypted Keys Using PowerShell


In today's fast-paced digital world, keeping sensitive data secure is more critical than ever. We all know how damaging data breaches can be, which is why encryption plays a vital role in protecting our information. In this article, we'll guide you through the process of provisioning Always Encrypted keys using PowerShell, a powerful tool. These keys, stored securely in Azure Key Vault, are essential for safeguarding your data within Azure SQL.
Best Electronics Item

Understanding the Importance of Always Encrypted

Before we dive into the technical details, let's take a moment to appreciate the significance of Always Encrypted. In a world where data privacy is a constant concern, Always Encrypted is like a knight in shining armor.

What Are Always Encrypted Keys?

Think of Always Encrypted keys as the protectors of your treasure chest of data. They are cryptographic keys responsible for keeping your data confidential, ensuring that only authorized individuals can access it.

Setting the Stage

To begin our journey into provisioning Always Encrypted keys, you need to set the stage. The PowerShell script provided below will help you lay the groundwork:

# Define Key Vault and SQL Server details, as parameters


$SubscriptionId = "<Azure SubscriptionId>"

$resourceGroup = "<resource group name>"

$azureLocation = "<datacenter location>"

$KeyVaultName = "<key vault name>"

$KeyVaultKeyName = "<key name>"

$ServerName = "<Azure SQL server name>"

$DatabaseName = "<database name>"

$SqlServerAdminUser = "<DB User Name>"

$SqlServerAdminPassword = "<DB Password>"

This script establishes the context for the subsequent commands, ensuring you're working within your specified Azure subscription and parameters.

Creating a Secure Environment

Before you can provision Always Encrypted keys, it's essential to create a secure environment. Let's go step by step:

Creating a Resource Group

# Creates a new resource group - skip if your desired group already exists.

New-AzResourceGroup -Name $resourceGroup -Location $azureLocation


This command creates a new resource group, or you can skip it if you've already set one up.

Creating a Key Vault

# Creates a new key vault - skip if your vault already exists.

New-AzKeyVault -VaultName $akvName -ResourceGroupName $resourceGroup -Location $azureLocation

The Azure Key Vault is your fortress for managing keys securely. This command establishes a new key vault with the name and resource group you've specified.

Granting Permissions

# Provide permission to the current user to access a key from KeyVault to create a Master Key

Set-AzKeyVaultAccessPolicy -VaultName $akvName -ResourceGroupName $resourceGroup -PermissionsToKeys get, create, delete, list, wrapKey, unwrapKey, sign, verify -UserPrincipalName $azureCtx.Account

This command grants the current user the necessary permissions to access keys within the key vault.

Key Provisioning

Now that your secure environment is in place, it's time to provision your Always Encrypted keys.

Adding a Key to Key Vault

$akvKey = Add-AzKeyVaultKey -VaultName $akvName -Name $akvKeyName -Destination "Software"

This command adds a key to your key vault, ensuring it's securely stored.

Establishing a Connection

# Connect to Azure Key Vault and Get the latest Key version

$KeyVaultKey = Get-AzKeyVaultKey -VaultName $KeyVaultName -Name $KeyVaultKeyName

# Connect to your SQL Server

$ConnectionString = "Server=$ServerName;Database=$DatabaseName;User  Id=$SqlServerAdminUser;Password=$SqlServerAdminPassword;MultipleActiveResultSets=true;"

The code above establishes a connection to your Azure Key Vault and retrieves the latest key version. It also sets up a connection to your Azure SQL Server using the provided credentials.

Configuring Always Encrypted

With your keys in place, it's time to configure Always Encrypted in your Azure SQL database.

# Import the SQL Server module

Import-Module "SqlServer"

# Establish a connection to the database

$Database = Get-SqlDatabase -ConnectionString $ConnectionString

This section of the script imports the SQL Server module and establishes a connection to your Azure SQL database.

Creating Column Master Key Settings

# Create column master key settings for your Key Vault key

$KeyVaultKeyURL = $KeyVaultKey.Key.Kid
$CMKSettings = New-SqlAzureKeyVaultColumnMasterKeySettings -KeyURL $KeyVaultKeyURL

Here, you're creating column master key settings for your key vault key. These settings are crucial for encryption.

Obtaining an Access Token

# Obtain an access token for the Key Vault

$KeyVaultAccessToken = (Get-AzAccessToken -ResourceUrl

This command obtains an access token for your Key Vault, allowing you to access the key securely.

Creating or Opening the Column Master Key

# Create or open the column master key in the database

$CMKName = "CMK_Key"
{ $ExistingCMK = Get-SqlColumnMasterKey -Name $CMKName -InputObject $Database
catch {
$NewCMK = New-SqlColumnMasterKey -Name $CMKName -InputObject $Database -ColumnMasterKeySettings $CMKSettings

This part of the script creates or opens the column master key in your database. If the key already exists, it opens it; otherwise, it creates a new one.

Generating the Column Encryption Key

# Generate a column encryption key and bind it to the column master key

$CEKName = "CEK_Key"
$CEK = New-SqlColumnEncryptionKey -Name $CEKName -InputObject $Database -ColumnMasterKey $CMKName -KeyVaultAccessToken $KeyVaultAccessToken

This command generates a column encryption key and binds it to the column master key, ensuring your data is encrypted and protected.


Provisioning Always Encrypted keys using PowerShell and Azure Key Vault is a vital step in safeguarding your sensitive data. In a world where data breaches are a constant concern, this process ensures that your information is protected from prying eyes.

The purpose of the code contained in blog is solely for learning and demo purposes. The author will not be held responsible for any failures or damages caused due to any other usage.

smileyHappy Learning yes




You may like
our most popular tools & apps