I'm trying to insert data into an Azure SQL table with a column that's encrypted via Always Encrypted, and a column master key stored in Azure Key Vault. Attempting so results in this error:
[ADO NET Destination [2]] Error: An exception has occurred during data insertion, the message returned from the provider is: ERROR [CE269] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Error 12038 sending request to https://[keyvault].vault.azure.net:443ERROR [CE263] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Error verifying signature of ECEK.
ERROR [CE202] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]The keystore provider AZURE_KEY_VAULT failed to decrypt the ECEK https://[keyvault].vault.azure.net:443/keys/[cmk]/[version] with RSA_OAEP.
I'm using an ADO.NET destination with the ODBC data provider, using this connection string:
DRIVER=ODBC Driver 17 for SQL Server;SERVER=[dbs].database.windows.net;UID=[uid@example.com];PWD=[password];Authentication=ActiveDirectoryPassword;DATABASE=[database];ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultPassword;KeyStorePrincipalId=[uid@example.com];KeyStoreSecret=[password]
[uid@example.com] is an Azure Active Directory user that's provisioned in the Azure SQL database so it's able to log in. It has all key privileges granted to it in the key vault's access policy.
I've confirmed the encryption keys work, as I can manually insert data into the table via SSMS and observe the column values are encrypted as expected.
Does anyone know how to resolve the above error?