在 EF Core 中使用 Always Encrypted 并将主密钥存储在 Azure Key Vault 中

1. Configure Always Encrypted

2. Create Azure AD application and configure access policy for the application in Azure key vault.

3. Configure application

   a. install sdk

    ItemGroup>
   <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="3.1.1" />
   <PackageReference Include="Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider" Version="1.1.0" />
   <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="3.1.1">
   <PrivateAssets>all</PrivateAssets>
   <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
   </PackageReference>
   <PackageReference Include="Microsoft.IdentityModel.Clients.ActiveDirectory" Version="5.2.7" />
   <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="3.1.1" />
   </ItemGroup>
   
   

   b. Create Modle

   public class Patient
   {
   
     public int PatientId { get; set; }
     public string SSN { get; set; }
     public string FirstName { get; set; }
     public string LastName { get; set; }
     public DateTime BirthDate { get; set; }
   }
   

   c. create DbContext

   public class TestContext :DbContext
   {
      private static Boolean isInitialized;
      public  TestContext(DbContextOptions<TestContext> options) : base(options)
      {
          if(! isInitialized) { InitializeAzureKeyVaultProvider(); isInitialized = true; }
   
   
      }
   
   
      public DbSet<Patient> Patients { get; set; }
      protected override void OnModelCreating(ModelBuilder modelBuilder)
      {
          modelBuilder.Entity<Patient>().ToTable("Patients");
      }
   
      private static string clientId = "the ad application appid";
      private static string clientSecret = "the ad application appSecret";
      private static ClientCredential _clientCredential;
   
      private static void  InitializeAzureKeyVaultProvider()
      {
          _clientCredential = new ClientCredential(clientId, clientSecret);
   
          SqlColumnEncryptionAzureKeyVaultProvider azureKeyVaultProvider =
            new SqlColumnEncryptionAzureKeyVaultProvider(GetToken);
   
          Dictionary<string, SqlColumnEncryptionKeyStoreProvider> providers =
            new Dictionary<string, SqlColumnEncryptionKeyStoreProvider>();
   
          providers.Add(SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, azureKeyVaultProvider);
          SqlConnection.RegisterColumnEncryptionKeyStoreProviders(providers);
      }
   
      private async static Task<string> GetToken(string authority, string resource, string scope)
      {
          var authContext = new AuthenticationContext(authority);
          AuthenticationResult result = await authContext.AcquireTokenAsync(resource, _clientCredential);
   
          if (result == null)
              throw new InvalidOperationException("Failed to obtain the access token");
          return result.AccessToken;
      }
   }
   

   d. Register the DbContext. Add the following code in Startup.cs. public void ConfigureServices(IServiceCollection services) { services.AddDbContext<TestContext>(options => options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"))); services.AddControllersWithViews(); }

   e. add connectionString in appsettings.json

   {
   "ConnectionStrings": {
   "DefaultConnection": "Server=tcp:<your server name>.database.windows.net,1433;
   Initial Catalog=<db name>;
   Persist Security Info=False;
   User ID=<user>;
   Password=<password>;
   Column Encryption Setting=enabled;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;"
   },
   ...
   

更多详细信息，请参阅：

https://learn.microsoft.com/zh-cn/aspnet/core/data/ef-mvc/intro?view=aspnetcore-3.1

https://learn.microsoft.com/zh-cn/sql/connect/ado-net/sql/sqlclient-support-always-encrypted?view=sql-server-ver15