Export (0) Print
Expand All
Expand Minimize

CREATE CRYPTOGRAPHIC PROVIDER (Transact-SQL)

Applies To: SQL Server 2014, SQL Server 2016 Preview

Topic Status: Some information in this topic is preview and subject to change in future releases. Preview information describes new features or changes to existing features in Microsoft SQL Server 2016 Community Technology Preview 2 (CTP2).

Creates a cryptographic provider within SQL Server from an Extensible Key Management (EKM) provider.

Applies to: SQL Server (SQL Server 2008 through current version).

Topic link icon Transact-SQL Syntax Conventions

CREATE CRYPTOGRAPHIC PROVIDER provider_name 
    FROM FILE = path_of_DLL

provider_name

Is the name of the Extensible Key Management provider.

path_of_DLL

Is the path of the .dll file that implements the SQL Server Extensible Key Management interface. When using the SQL Server Connector for Microsoft Azure Key Vault the default location is 'C:\Program Files\Microsoft SQL Server Connector for Microsoft Azure Key Vault\Microsoft.AzureKeyVaultService.EKM.dll'.

All keys created by a provider will reference the provider by its GUID. The GUID is retained across all versions of the DLL.

The DLL that implements SQLEKM interface must be digitally signed by using any certificate. SQL Server will verify the signature. This includes its certificate chain, which must have its root installed at the Trusted Root Cert Authorities location on a Windows system. If the signature is not verified correctly, the CREATE CRYPTOGRAPHIC PROVIDER statement will fail. For more information about certificates and certificate chains, see SQL Server Certificates and Asymmetric Keys.

When an EKM provider dll does not implement all of the necessary methods, CREATE CRYPTOGRAPHIC PROVIDER can return error 33085:

One or more methods cannot be found in cryptographic provider library '%.*ls'.

When the header file used to create the EKM provider dll is out of date, CREATE CRYPTOGRAPHIC PROVIDER can return error 33032:

SQL Crypto API version '%02d.%02d' implemented by provider is not supported. Supported version is '%02d.%02d'.

Requires CONTROL SERVER permission or membership in the sysadmin fixed server role.

The following example creates a cryptographic provider called SecurityProvider in SQL Server from a .dll file. The .dll file is named c:\SecurityProvider\SecurityProvider_v1.dll and it is installed on the server. The provider's certificate must first be installed on the server.

-- Install the provider
CREATE CRYPTOGRAPHIC PROVIDER SecurityProvider
    FROM FILE = 'C:\SecurityProvider\SecurityProvider_v1.dll';
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2015 Microsoft