Always Encrypted

Windows certificate store (Windows only)

Documentation on configuring always encrypted on SQL Server using Windows certificate store
Documentation on configuring always encrypted on Azure SQL using Windows certificate store. You can follow up to "Create a client application that works with the encrypted data" skipping the "Create a table" step and instead let Django handle creating the tables by running python manage.py migrate.

After encrypting the columns change settings.py to enable decryption. Put "extra_params": "ColumnEncryption=Enabled;" in the OPTIONS dictionary in the DATABASES dictionary in settings.py e.g.:

DATABASES = {
    "default": {
        "ENGINE": "mssql",
        ...
        "OPTIONS": {
          ...
          "extra_params": "ColumnEncryption=Enabled;"
        },
    },
}

Client ID/secret

Documentation on how to configure Always Encrypted using Azure Key Vault. You can follow up to "Create a client application that works with the encrypted data" skipping the "Create a table" step and instead let Django handle creating the tables by running python manage.py migrate.

If the Always Encrypted wizard doesn't work you can manually add the Key Vault by right clicking Columns Master Keys folder found under the Security > Always Encrypted Keys in SSMS

and selecting New Column Master Key ..., changing Key store to Azure Key Vault and selecting the key to use. If you do it this way choose the key you added in the Select column master key dropdown instead of choosing Auto generate column master key in the Master Key Configuration section.

After encrypting the columns change settings.py to enable decryption. Put "extra_params": "ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultClientSecret;KeyStorePrincipalId=XXXXX;KeyStoreSecret=YYYYY" where XXXXX and YYYYY are the Application (client) ID and Client secret value in the OPTIONS dictionary in the DATABASES dictionary in settings.py e.g.:

DATABASES = {
    "default": {
        "ENGINE": "mssql",
        ...
        "OPTIONS": {
          ...
          # Replace XXXXX and YYYYY with Application (client) ID and Client secret value respectively
          "extra_params": "ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultClientSecret;KeyStorePrincipalId=XXXXX;KeyStoreSecret=YYYYY"
        },
    },
}

Managed Identity

Follow the Microsoft documentation on how to configure Always Encrypted using Azure Key Vault to create a key vault and set up the encrypted columns. You can follow up to "Create a client application that works with the encrypted data" skipping the "Create a table" step and instead let Django handle creating the tables by running python manage.py migrate. On the VM download the ODBC Driver.

System-Assigned

Follow the Microsoft docs on setting up system-assigned managed identity to access Azure SQL up to the "Access data" section. Then execute EXEC sp_addrolemember N'db_owner', N'VMNAME' in the database, replacing VMNAME with the name of the VM. Grant the VM access to the key vault by adding an access policy following the steps located in Microsoft's managed identities docs and give it the permissions listed in the Microsoft Configure Always Encrypted by using Azure Key Vault docs but try to not give it extra unneeded permissions. Then in the DATABASES dictionary in settings.py add "extra_params": ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultManagedIdentity in the OPTIONS dictionary e.g.:

"default": {
    "ENGINE": "mssql",
    ...
    "OPTIONS": {
        ...
        "extra_params": "ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultManagedIdentity",
    },
},

User-Assigned

Create an managed identity and assign it to a VM following the procedure outlined in the Microsoft docs. Then follow the Microsoft docs on setting up system-assigned managed identity to access Azure SQL up to the "Access data"" section, replacing VMName with the name of the managed identity's name. Then execute EXEC sp_addrolemember N'db_owner', N'NameOfIdentity' in the database, replacing NameOfIdentity with the name of the managed identity you created. Grant the VM access to the key vault by adding an access policy following the steps located in Microsoft's managed identities docs and give it the permissions listed in the Microsoft Configure Always Encrypted by using Azure Key Vault docs but try to not give it extra unneeded permissions. Then in the DATABASES dictionary in settings.py add "extra_params": ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultManagedIdentity;KeyStorePrincipalId=XXXXX where XXXXX is the principal id of the managed identity in the OPTIONS dictionary e.g.:

"default": {
    "ENGINE": "mssql",
    ...
    "OPTIONS": {
        ...
        # Replace the XXXXX with the user-assigned managed identity's principal id
        "extra_params": "ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultManagedIdentity;KeyStorePrincipalId=XXXXX",
    },
},

Unsupported

Username/password and AKV Interactive are unsupported at this time.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly