On-Premise SQL Server and Azure Key Vault RRS feed

  • Question

  • Hello,

    I am currently working on Implementing SQL Server TDE (Transparent Data Encryption) and using Azure Key Vault as the store for the keys. SQL Servers are behind firewall On Prem and we have opened the following as per Microsoft:



    But when i try to connect and open the key we get the following:

    Cannot open session for crypto provider. provider error code 3106. 

    I looked in sql connector and it is not a documented error code.

    Is there a missing port or site that we have to open then?


    Friday, August 23, 2019 12:08 PM

All replies

  • As per the documentation, If you don't see your error code in the table, the error may be happening because:

    • You may not have Internet access and cannot access your Azure Key Vault - please check your Internet connection.
    • The Azure Key Vault service may be down. Try again at another time.
    • You may have dropped the asymmetric key from Azure Key Vault or SQL Server. Restore the key.

    Also, are you getting error while creating DEK ? Did you try telnet the services/port you have opened ?

    Friday, August 23, 2019 8:22 PM
  • Hello,

    Basically I am following the steps for enabling TDE with Key Vault, I am running this and that error comes up:

    FROM PROVIDER [AzureKeyVault_EKM_Prov]  

    Saturday, August 24, 2019 11:18 AM
  • I believe you are having a connectivity issue since during the creation of the symmetric key the connector needs to communicate with the Azure Key Vault to fetch the key.  Can you please check the SQL Server TDE Extensible Key Management Using Azure Key Vault - Setup Steps if you have followed all the steps. 
    Friday, August 30, 2019 7:14 PM
  • Please let us know if the above answers were helpful and remember to mark as answer.

    If none of the answers helped you, let us know, and we'll try to provide assistance. Thanks!

    Tuesday, September 3, 2019 6:50 AM