Keystore providers store the column master keys used for decrypting column encryption keys when using Always Encrypted. The driver currently supports the Windows Certificate Store, Azure Key Vault, and PKCS #12 File providers. If the location of a PKCS #12 file is specified, the driver uses the PKCS #12 file located at the specified location as a provider. Otherwise, the driver dynamically determines which provider to use for encrypting parameters or decrypting data in result sets based on the encryption metadata received from the server.

Windows Certificate Store

The Windows Certificate Store is a local repository of certificates available only on Windows platforms. When using this provider, the column master key is stored locally on the client machine, which reduces the need to make calls over a network. The driver does not require any additional configuration to use the Windows Certificate Store as a provider when Always Encrypted is enabled (ColumnEncryption=Enabled | ResultsetOnly).

Azure Key Vault

The Azure Key Vault is a certificate repository hosted on Azure platforms. This provider offers several advantages over the Windows Certificate Store, including the ability to access keys when the application is running on any platform. In addition, keys do not need to be copied to and cached on the local machine. However, unless the application is running on Azure, calls to the key vault must be made over a WAN, which can affect performance. To access the column master key, the principal ID and Client Secret must be used to authenticate against the Azure Key Vault. You can specify the principal ID and Client Secret using the following options:
  • Key Store Principal Id (AEKeystorePrincipalId): Specifies the principal ID used to authenticate against the Azure Key Vault. See "Key Store Principal Id" for a detailed description.
  • Key Store Secret (AEKeystoreClientSecret): Specifies the Client Secret used to authenticate against the Azure Key Vault. See "Key Store Secret" for a detailed description.

PKCS #12 File

The driver supports storing the column master key in a PKCS #12 file. The PKCS #12 file can be stored locally on the disk on any platform the driver supports. To allow the driver to access this provider, values for the following options must be specified:
  • AE Keystore Location (AEKeyStoreLocation): Specifies the absolute path to the PKCS #12 file.
  • AE Keystore Secret (AEKeyStoreSecret): Specifies the password used to access the PKCS #12 file. This option is needed only when the PKCS #12 file is password-protected.