BizTalk 2016 Feature Pack 1 (Always Encrypted)


  • Hi,

    I am performing a POC using BizTalk as IaaS in Azure.  I have setup encrypted columns in SQL and have written a pipeline component which can access the encrypted columns as needed.  This pipeline component registers Azure Key Vault provider, so that the .NET 4.6 client driver can pull column master key from Azure Key Vault. (Note that the metadata around the encrypted columns details where the column master key is stored, in this case Azure Key Vault).

    Now I am attempting to utilizing the WCF-SQL Adapter support for Always Encrypted.  This flag basically enables the encrypted parameter to be set on the SQL connection string used by the adapter.  I see how this would work if the column master key was stored in Windows Certificate Store on BizTalk machine. The account under which the host instance is running is granted access to the certificate store.  The WCF-SQL adapter with the Always Encrypted ColumnEncryptionSetting enabled would then query the database which would return the metadata detailing where the column master key is stored (This is all transparent to the query).  Central to this is Windows Certificate store provider is built into the .NET 4.6 client driver.

    My question revolves around how the WCF-SQL adapter would access Azure Key Vault.  The Azure Key Vault provider is not built in and would need to be registered.  The account under which the host instance is running would need to authenticate to Azure Key Vault.  There does not appear to be any configuration in the WCF-SQL adapter other than Always Encrypted ColumnEncryptionSetting.  So my questions are as follows;

    1.)  How would the WCF-SQL adapter register the Azure Key Vault provider?

    2.)  How would the WCF-SQL adapter authenticate to Azure Key Vault?

    Azure Key Vault supports certificate authentication with this authentication method I might be able to put the client certificate in BizTalk machine local certificate store to allow BizTalk host instance to authenticate with the Azure Key Vault.  This might be a way to handle question 2.

    If I figure this out, I will update the question.



    Saturday, June 3, 2017 10:50 PM