Package com.microsoft.sqlserver.jdbc

Class SQLServerColumnEncryptionAzureKeyVaultProvider

  • public class SQLServerColumnEncryptionAzureKeyVaultProvider
extends SQLServerColumnEncryptionKeyStoreProvider
    Provides implementation similar to certificate store provider. A CEK encrypted with certificate store provider should be decryptable by this provider and vice versa. Envelope Format for the encrypted column encryption key version + keyPathLength + ciphertextLength + keyPath + ciphertext + signature version: A single byte indicating the format version. keyPathLength: Length of the keyPath. ciphertextLength: ciphertext length keyPath: keyPath used to encrypt the column encryption key. This is only used for troubleshooting purposes and is not verified during decryption. ciphertext: Encrypted column encryption key signature: Signature of the entire byte array. Signature is validated before decrypting the column encryption key.

    • Constructor Detail

      • SQLServerColumnEncryptionAzureKeyVaultProvider

        @Deprecated
public SQLServerColumnEncryptionAzureKeyVaultProvider​(SQLServerKeyVaultAuthenticationCallback authenticationCallback,
                                                      java.util.concurrent.ExecutorService executorService)
                                               throws SQLServerException
        Deprecated.
        Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a callback function to authenticate to AAD and an executor service.. This is used by KeyVaultClient at runtime to authenticate to Azure Key Vault. This constructor is present to maintain backwards compatibility with 6.0 version of the driver. Deprecated for removal in next stable release.
        Parameters:
        authenticationCallback - - Callback function used for authenticating to AAD.
        executorService - - The ExecutorService, previously used to create the keyVaultClient, but not in use anymore. - This parameter can be passed as 'null'
        Throws:
        SQLServerException - when an error occurs

      • SQLServerColumnEncryptionAzureKeyVaultProvider

        public SQLServerColumnEncryptionAzureKeyVaultProvider​(SQLServerKeyVaultAuthenticationCallback authenticationCallback)
                                               throws SQLServerException
        Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a callback function to authenticate to AAD. This is used by KeyVaultClient at runtime to authenticate to Azure Key Vault.
        Parameters:
        authenticationCallback - - Callback function used for authenticating to AAD.
        Throws:
        SQLServerException - when an error occurs

      • SQLServerColumnEncryptionAzureKeyVaultProvider

        public SQLServerColumnEncryptionAzureKeyVaultProvider​(java.lang.String clientId,
                                                      java.lang.String clientKey)
                                               throws SQLServerException
        Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a client id and client key to authenticate to AAD. This is used by KeyVaultClient at runtime to authenticate to Azure Key Vault.
        Parameters:
        clientId - Identifier of the client requesting the token.
        clientKey - Key of the client requesting the token.
        Throws:
        SQLServerException - when an error occurs

    • Method Detail

      • decryptColumnEncryptionKey

        public byte[] decryptColumnEncryptionKey​(java.lang.String masterKeyPath,
                                         java.lang.String encryptionAlgorithm,
                                         byte[] encryptedColumnEncryptionKey)
                                  throws SQLServerException
        Decryptes an encrypted CEK with RSA encryption algorithm using the asymmetric key specified by the key path
        Specified by:
        decryptColumnEncryptionKey in class SQLServerColumnEncryptionKeyStoreProvider
        Parameters:
        masterKeyPath - - Complete path of an asymmetric key in AKV
        encryptionAlgorithm - - Asymmetric Key Encryption Algorithm
        encryptedColumnEncryptionKey - - Encrypted Column Encryption Key
        Returns:
        Plain text column encryption key
        Throws:
        SQLServerException - when an error occurs while decrypting the CEK

      • encryptColumnEncryptionKey

        public byte[] encryptColumnEncryptionKey​(java.lang.String masterKeyPath,
                                         java.lang.String encryptionAlgorithm,
                                         byte[] columnEncryptionKey)
                                  throws SQLServerException
        Encrypts CEK with RSA encryption algorithm using the asymmetric key specified by the key path.
        Specified by:
        encryptColumnEncryptionKey in class SQLServerColumnEncryptionKeyStoreProvider
        Parameters:
        masterKeyPath - - Complete path of an asymmetric key in AKV
        encryptionAlgorithm - - Asymmetric Key Encryption Algorithm
        columnEncryptionKey - - Plain text column encryption key
        Returns:
        Encrypted column encryption key
        Throws:
        SQLServerException - when an error occurs while encrypting the CEK