I'm try to create a Column Encryption in Azure(via Always Encrypted Wizard).I have one big doubt in these Scenario.
There are several other ways to store the CMK like Windows Store,Azure Key Vault.
In Windows Store there are two options User/LocalMachine,Where in
User Options the CMK will be work for that particular Local Machine and that Particular User alone.(able to decrypt Using Column Encryption Setting=Enabled )
Where as Local Machine option can be work for all the Users in the Same Machine.(able to decrypt using Column Encryption Setting=Enabled)
My Doubt is ,
When coming to Azure Key Vault for storing CMK who can able to decrypt the Encrypted Column ?
My understanding is The User who have the access(Under Access Policies) to Azure Key Vault can only be able to decrypt the Encrypted Column ? Is that right ?
Please anyone guide me
Thanks in advance,
Jay
My understanding is The User who have the access(Under Access Policies) to Azure Key Vault can only be able to decrypt the Encrypted Column ? Is that right ?
Yes that is correct. You would need the following permissions : create,get,wrapKey,unwrapKey,sign,verify,list
Here are a couple of articles that will walk you through basic Always encrypted workflow using AKV
Article 1
Article 2