https://support.microsoft.com/en-us/help/4470999/db-backup-problems-to-sql-server-connector-for-azure-1-0-5-0

A breaking change has been introduced in Version 1.0.5.0 of 'SQL Server Connector for Microsoft Azure Key Vault' .  The 1.0.5.0 version updated the way it calculates thumbprints to match the logic used in the engine, in order to support the migration scenario of On Prem SQL Server using EKM to Azure SQL DB using TDE BYOK.  Because of this change, customer may hit issues when they are trying to restore database backups from when they were using 1.0.4.0 or old version to a server using 1.0.5.0 version.

Here is an example

===

SQL Server instance sql1 has 'SQL Server Connector for Microsoft Azure Key Vault' 1.0.4.0 deployed. SQL Server instance sql2 has 'SQL Server Connector for Microsoft Azure Key Vault' 1.0.5.0 deployed. Both instance sql1 and sql2 deploy an ASYMMETRIC key from the same ASYMMETRIC key in Azure Key Vault.

CREATE ASYMMETRIC KEY TDE_KEY

FROM PROVIDER AzureKeyVaultProvider

WITH PROVIDER_KEY_NAME = 'key1',

CREATION_DISPOSITION = OPEN_EXISTING

The thumbprints are different. The length of thumbprint of 1.0.5.0 version is little bit greater than the thumbprint of 1.0.4.0 version.

Here is example of thumbprint of 1.0.4.0 version

0x2C5677D76F76D77F80

Here is example of thumbprint of 1.0.5.0 version. Please note, both asymmetric keys are created from same source.

0x373B314B78E8D59A0925494558FEF14B726216C5

This breaking change causes problem in backup/restore scenario.

For example, if you have a backup of a database encrypted by an asymmetric key  in Azure Key vault in instance sql1.

The instance sql2 has same asymmetric key created.

If you try to restore the backup to instance sql2, the restore fails with the error message below

Msg 33111, Level 16, State 4, Line 20

Cannot find server asymmetric key with thumbprint '0x2C5677D76F76D77F80'.

Here is the query to retrieve the thumbprint of each key.

select thumbprint,* from master.sys.asymmetric_keys

Here is the query to retrieve the thumbprint of each TDE database

select db_name(ddek.database_id) as DatabaseName,ak.name as[Asymmetric key Name], ak.thumbprint From sys.dm_database_encryption_keys ddek inner join master.sys.asymmetric_keys ak on ak.thumbprint=ddek.encryptor_thumbprint

Solution

===

Copy the 'SQL Server Connector for Microsoft Azure Key Vault' 1.0.4.0 or related version to the instance sql2 box.

Run the query below in sql2 to change the CRYPTOGRAPHIC PROVIDER to 1.0.4.0 version.

ALTER CRYPTOGRAPHIC PROVIDER AzureKeyVaultProvider

FROM FILE =

'C:\Program Files\SQL Server Connector for Microsoft Azure Key Vault\1.0.4.0\Microsoft.AzureKeyVaultService.EKM.dll'

Create a new asymmetric key using the 1.0.4.0 provider.

CREATE ASYMMETRIC KEY TDE_KEY_1040

FROM PROVIDER AzureKeyVaultProvider

WITH PROVIDER_KEY_NAME = 'key1',

CREATION_DISPOSITION = OPEN_EXISTING

After that, you are able to restore the backup.

Run the query below in sql2 to revert  the CRYPTOGRAPHIC PROVIDER to 1.0.5.0 version.

ALTER CRYPTOGRAPHIC PROVIDER AzureKeyVaultProvider

FROM FILE =

'C:\Program Files\SQL Server Connector for Microsoft Azure Key Vault\1.0.5.0\Microsoft.AzureKeyVaultService.EKM.dll'

You can either use the same asymmetric key or change to a new version asymmetric key to use the new thumbprint.

alter DATABASE ENCRYPTION KEY

ENCRYPTION BY SERVER ASYMMETRIC KEY KeyName1050Version

The thumbprint of same asymmetric key is not same in 'SQL Server Connector for Microsoft Azure Key Vault' 1.0.4.0 and 'SQL Server Connector for Microsoft Azure Key的更多相关文章

  1. SQL语句实现不存在即插入,存在则increase某字段的功能insert into … on duplicate key update

    前提条件:必须是唯一主键: CREATE UNIQUE INDEX idx_vote_object ON test_customers_vote (`vote_object`, `vote_objec ...

  2. yii2.0 报错Cookievalidationkey Must Be Configured With A Secret Key

    'components' => [ 'request' => [ // !!! insert a secret key in the following (if it is empty) ...

  3. OpenSSL和Python实现RSA Key公钥加密私钥解密

    基于非对称算法的RSA Key主要有两个用途,数字签名和验证(私钥签名,公钥验证),以及非对称加解密(公钥加密,私钥解密).本文提供一个基于OpenSSL和Python进行非对称加解密的例子. 1. ...

  4. Redis百亿级Key存储方案(转)

    1 需求背景 该应用场景为DMP缓存存储需求,DMP需要管理非常多的第三方id数据,其中包括各媒体cookie与自身cookie(以下统称supperid)的mapping关系,还包括了supperi ...

  5. 转载文章(Redis中对key的操作)

    转载地址:http://www.cnblogs.com/stephen-liu74/archive/2012/03/26/2356951.html 一.概述: 在该系列的前几篇博客中,主要讲述的是与R ...

  6. Duplicate entry 'javajavajav' for key 'username'

    org.apache.ibatis.exceptions.PersistenceException: ### Error updating database.  Cause: com.mysql.jd ...

  7. 关于MapReduce中自定义带比较key类、比较器类(二)——初学者从源码查看其原理

    Job类 /**   * Define the comparator that controls    * how the keys are sorted before they   * are pa ...

  8. android初级篇之apk签名key keystore格式转pk8+x509.pem

    转自:http://www.jianshu.com/p/3bd5c68cc44d 常用的android的签名工具有两个即jarsigner 和apksigner.这两种使用的key格式不一样,keys ...

  9. 深入理解ConcurrentMap.putIfAbsent(key,value) 用法

    转自:http://blog.csdn.net/exceptional_derek/article/details/40384659 先看一段代码: public class Locale { pri ...

随机推荐

  1. am335x uboot2016.05 (MLO u-boot.img)执行流程(转)

    am335x的cpu上电后,执行流程:ROM->MLO(SPL)->u-boot.img 第一级bootloader:引导加载程序,板子上电后会自动执行这些代码,如启动方式(SDcard. ...

  2. Python 面向对象的补充

    isinstance(obj,cls)和issubclass(sub,super) isinstance(obj,cls)检查是否obj是否是类 cls 的对象 1 class Foo(object) ...

  3. 关于sql server的一种简单用法——在上面写查询语句,即可在下面修改数据

    选择数据库中的表,右键单击-->编辑前200行,然后在显示的页面中选择带SQL标志的图标

  4. Kotlin基础(三)类、对象和接口

    类.对象和接口 一.定义类的继承结构 一)Kotlin中的接口 Kotlin的接口与Java8中相似,它们可以包含抽象方法的定义以及非抽象方法的实现,但它们不能包含任何状态. interface Cl ...

  5. 第一章 初始STM32

    1.3什么是STM32? ST是意法半导体,M是MIcroelectronisc的缩写,32表示32位. 合起来就是:ST公司开发的32位微控制器. 1.4 STM32 能做什么? STM32属于一个 ...

  6. [NOIP2018]普及组游记

    想不到自己还有机会写游记 ——sysky 考完一个月后 DAY -INF 报名 还为了拍照下载了一个PS 特地把自己P白了一点233 花里胡哨得提交了rg.noi.cn DAY -14~-2 停课集训 ...

  7. multiprocess模块

    什么是进程 什么是进程 进程是计算机中的程序关于某数据集合一次运行活动,是系统进行资源分配和调度的基本单位,是操作系统结构的基础,进程与进程之间数据隔离,执行过程异步 为什么会出现进程的概念 合理利用 ...

  8. 深入理解this,bind、call

    直接看this 直接看call和bind 首先放一道题: var a={ a:'haha', getA: function(){ console.log(this.a); } } var b= { a ...

  9. MySQL数据库引擎MyISAM和InnoDB的区别介绍

    MySQL数据库有多种存储引擎:比如:MyISAM.InnoDB.MERGE.MEMORY(HEAP).BDB(BerkeleyDB).EXAMPLE.FEDERATED.ARCHIVE.CSV.BL ...

  10. POJ1068 --(模拟)

    这题是在看一个书的时候的一个例题,当时并不明白啥意思,于是便找了下原题,以前没在POJ上刷过,这是开了个头,以后努力刷这个网站 题目大概意思是:http://poj.org/problem?id=10 ...