I'm working with a .NET Core 3.1 application (C#) and facing the error message like this when I sent requests to a docker container insides ubuntu server:
"Failed to decrypt a column encryption key using key store provider: 'MSSQL_CERTIFICATE_STORE'. The last 10 bytes of the encrypted column encryption key are: 'xx-xx-xx-xx-xx-xx-xx-xx-xx-xx'.\nOperation is not supported on this platform."
According to this link (https://learn.microsoft.com/en-us/sql/connect/odbc/using-always-encrypted-with-the-odbc-driver?view=sql-server-ver15), it seems like Linux doesn't contain MSSQL_CERTIFICATE_STORE and force me to use Azure Key Vault Store.
My question is 'Is it possible to integrate MSSQL_CERTIFICATE_STORE and Linux environment without using the Azure Key Vault Store?'
If you want to still use Windows Certificate Store in Linux environment, we need to configure it on Windows machine, export the certificate and install it on the Linux machine. For more details, please refer to the article
Meanwhile, for Linux client application, we can use Azure Key Vault Store with ODBC driver. Besides, if you do not want to use Azure Key Vault Store, you can use Custom store providers with ODBC driver. For more details, please refer to the document and the document
Related
Running Windows 10, I'm trying to automatically reset service account passwords with Powershell, and replace those passwords in local Services on a regular cadence.
My plan:
Generate a local encryption key (used to encrypt a local file containing the service account's current password)
ACL that key to only the owning service account
Is this sufficient security-wise? Or can ACLs be bypassed by, let's say WSL (Linux) with 'cat'?
Am I on the right path? Or is there some native functionality that would be more secure? We allow very minimal vendor-provided services in this environment, so functionality must be native to Windows Server/AD - or anything I can cook up with .NET.
I've heard of MSA, gMSA but not too familiar. I'd like to control the process at the server level with a single task that can do service testing to ensure services are running properly post-change, not sure if that would be available with MSA/gMSA.
I have a program (.msi file) that is being built on a remote machine that I have no physical access to. The program is supposed to be distributed to users with Windows machines, however, in order to prevent the Smart Defender popup, I need to sign the installer with EV Code Signing certificate.
In order to implement the code signing on the remote machine that I am using right now, I was thinking about using Azure Key Vault along with AzureSignTool.exe, however, I am not sure whether this setup is reasonable. Is there anybody who had any experience with such a setup and could let me know how well it works?
I have also seen that in the Azure Key Vault there is a Managed HSM Pool option, however, I couldn't find much information on what that is. Am I ever going to need that or can I just simply ignore it?
I have an existing SQLAzure database. We are developing a new feature and need to have column level encryption. I am researching how to set this up.
We currently push changes to our local and to production via a database project. A simple right click > publish.
When I do this in my local environment after setting up the column encryption with the key stored in the Azure Key Vault, I receive the following error.
Cannot proceed as Key Vault support is not present in the current
application. For Key Vault support during deployment, install
DacFramework.msi and run SqlPackage.exe from its install location.
I've done that and still receive the same error.
Is it possible to maintain the right click publish functionality with the column level encryption or will I need to create an external script to set this up from now on?
It is possible that the newly updated hosted agent has a newer version of the DAC framework installed which is taking precedence over the full version that was installed separately, or else there is some other sort of discrepancy between the two and your system is trying to use the older version of the framework. It is also possible that some of your VMs have the framework and others do not, and this is causing that error.
There is a known issue with that error message that the product team is working on. See also, the user voice item.
Can you provide any of your error logs for further troubleshooting?
I would also recommend sending an email with your subscription ID to AzCommunity#microsoft.com so that I can open a support case for you. It will be easier to diagnose with more insight into your environment.
I am trying to encrypt the connection strings of the web app hosted in azure. I found that this can be done using the aspnet_regiis.exe tool. But, my question is we have the auto scale out enabled and it happens quite often. So, If I encrypt the connection strings using the tool mentioned above, will it work if the webapp is scaled out. Is there any other way to encrypt?
If you want to securely store your connection string you should use Azure Key Vault (as mentioned by Peter Bons).
To safely access the credentials you should consider using Managed Identities.
Here is the Managed Identities documentation for App Services
As part of deployment we need to create publish settting file or self signed certificate.
Could someone please help me understand why we need this? To encrypt every request from given machine or any machine?
To publish a deployment from a tool (Visual Studio, PowerShell, or custom using the Service Management API), you will need to authorize that tool to work with Windows Azure. If you deploy via the Windows Azure management portal, this isn't needed because it knows you (via your authenticated Microsoft Account).
That authorization comes in the form of an X509 certificate. Like you mentioned, you can create it yourself, or you can have Windows Azure create one for you in the form of a .publishsettings file. That file contains an encoded X509 certificate. When you import that file into a tool like Visual Studio or the PowerShell cmdlets, the certificate is installed to your local certificate store. Then it can be used to authenticate requests between your machine and Windows Azure.
As for how to manage the certs, I typically prefer to have at least one per machine. I think it makes it easier to remove a cert if I need to, and not impact other machines I'm using. But, that's really up to you.
I always assumed the certificate was needed to authenticate the right to publish
(you don't want just anybody being able to deploy to your site)