Always-Encrypted MSSQL Server w/ Azure Key Vault

AlHolden · April 7, 2021, 2:13am

Our CFML Server is hosted by Viviotech.
In another location, a Microsoft SQL Server on the Azure cloud.

Because the database stores HIPAA protected information, we need to apply the “Always-Encrypted” setting to the Database and encrypt certain columns in certain tables.

MY QUESTION:
Has anyone configured a datasource in Lucee - to 1) employ an “Always-Encrypted” MS DB where 2) the key is located on Azure Key Vault?

On CF2018, this is the error we get when I add mssql-jdbc-9.2.1.jre11.jar and try to configure ColdFusion’s “Other” DSN via their UI and custom connection strings.

Invalid key store provider name: AZURE_KEY_VAULT. A key store provider name must denote either a system key store provider or a registered custom key store provider. Valid system key provider names are: ,[MSSQL_CERTIFICATE_STORE]. Valid (currently registered) custom key store provider names are: null. Please verify key store provider information in column master key definitions in the database, and verify all custom key store providers used in your application are registered properly.

We’ve configured a NON-COLDFUSION client to connect and decrypt data from this server successfully, so it doesn’t seem to be a permissions issue there (the first thing we fixed)

I’ve been telling this client about Lucee (which I use elsewhere) for years. I was just told by Adobe support that Always-Encrypted feature is not supported in CF2018, so this is a good time to pounce!

kabutotx · April 7, 2021, 2:43pm

Maybe this will help?

Where are you storing your keys? Azure, Cert Store, Java?

AlHolden · April 7, 2021, 10:40pm

Thanks @kabutotx

In this setup, the MSSQL DB is on Azure, and the key is also in the Azure Key Vault. The CFML Engine is over at Viviotech.

Yes, I have read this - and many other pages on the general “Always Encrypted” topic. There are solutions on SO and at Hostek, but they seem to assume the key is local, which is not the case here. The driver needs to go fetch it. Actually, I can get the key as a string from the vault using cfttp, but don’t know what to do with it once I have it.

My confusion comes from all the suggestions about “customizing” a JDBC driver as may be needed, while both ColdFusion and Lucee only provide a relatively simple place (a form) to set some parameters. Some of these properties cannot be represented in a connection string, or set anywhere in the Administrator.

So, some customization is apparently needed, I just don’t know WHERE to put it.
A text configuration file somewhere?
Throw a bunch of Java invocations into the Application’s startup event?
Rewrite every DB tag to use a custom object?

kabutotx · April 8, 2021, 2:08am

If you you use the Azure Vault it says you need the azure-security-keyvault-keys and azure-identity dependencies. You can get those jars from the maven repository. Then put in the connection string settings you need for the driver version and if using 8.4.1 or greater if you are using managed identity.

Examples with just key and id
8.4.1+
…;columnEncryptionSetting=Enabled;keyStoreAuthentication=KeyVaultClientSecret;keyStorePrincipalId=clientId;keyStoreSecret=clientSecret

7.4.1
…;columnEncryptionSetting=Enabled;keyVaultProviderClientId=ClientId;keyVaultProviderClientKey=ClientKey