Entity Framework extension for Always Encrypted support through Azure Key Vault
- Microsoft SQL Server 2016 or Azure Database
- Azure Key Vault access (on keys: get, wrap, unwrap)
- At least one key uploaded into the Key Vault
- At least one Column Master key created in the SQL database
- At least one Column encryption key created based on one or two Column Master keys
- Always Encrypted with Azure Key Vault tutorial
- Configure Always Encrypted with SSMS
- Create Column Master key
- Create Column Encryption key (Use of SSMS in recommended)
- Getting Access Token from Azure AD
- Always Encrypted features and limitations
- Create an implementation of the
IAccessTokenProvider(for more information see Getting Access Token from Azure AD) - Derive your DbContext from the
AlwaysEncryptedDbContext - Add the
Column Encryption Setting=Enabledsetting to your connection sting - Add the
EncryptedColumnAttributeto the desired entity property - Create a new migration file with the
Add-Migrationcommand - Run the migration with the
Update-Databasecommand
- Filters and joins can only be made on deterministic encrypted columns
- If filtering a collection the filter variable must be placed into a separate variable before passing it to the expression
- The migration will only works for newly created columns
- The columns has to be nullable
- Please see the limitatios for supported data types