Part 1 – SQL Server TDE and Extensible Key Management Using Azure Key Vault

Install the SQL Server Connector for Microsoft Azure Key Vault 

This is Part:1 of a 4-part blog series:

This blog in the series installs the Connector for Microsoft Azure Key Vault. This DLL is the provider that allows to talk to Azure Key Vault.


Download the Connector from the Microsoft Download Center. (Thedownload/install shouldbe done by a “local administrator” on the SQL Server computer.) 

Versions and older have been replaced and are no longer supported in production environments.
Upgrade to version or later by visiting the Microsoft Download Center 
and using the instructions on the SQL Server Connector Maintenance &  
page under “Upgrade of SQL Server Connector.”
There is a breaking change in version, in terms of the thumbprint algorithm.
You may experience database restore failure after upgrading to version.
Please refer KB article 447099.


By default, the connector installs at C:Program FilesSQL Server Connector for Microsoft Azure Key Vault. This location can be changed during setup. (If changed, adjust the as appropriate.) 

There is no interface for the Connector, but if it is installed successfully, the Microsoft.AzureKeyVaultService.EKM.dll file is installed on the machine.

This is the cryptographic EKM provider DLL that needs to be registered with SQL Server by using the CREATE CRYPTOGRAPHIC PROVIDERstatement. 

The SQL Server Connector installation also allows you to optionally download sample for SQL Server . 

You can validate by navigating to the installation path, right-click on the file, select “properties”, select the Details tab and validate the Product version as: 1.0.50.


To view error code explanations, configuration settings, or maintenance tasks for SQL Server Connector, visit the appendix at the bottom of this topic: 


Installing the SQL Connector is just the first step in configuring SQL Server TDE to use Azure Key Vault. Continue the setup process using the Azure Portal(Part:AP2or PowerShell (Part: PS2).  


 See you at the next blog (Part: 2) 


Next steps

SQL Server Transparent Data and Extensible Key Management Using Azure Key Vault – Intro  

SQL Server Connector for Microsoft Azure Key Vault (aka: SQL Server Connector) – Part: 1 (this document) 

Azure Portal Method

PowerShell Method

Set up an Azure Service Principal – Part: AP2

Setup Azure Service Principal and  Azure Key Vault (one script) – Part: PS2

This script combines Part: AP2 & Part:AP3

Create an Azure Key Vault – Part: AP3

Configure SQL Server TDE EKM using AKV – Part: 4


This article was originally published by Microsoft's Azure SQL Database Blog. You can find the original article here.