- Newest
- Most votes
- Most comments
The AlwaysEncrypted feature requires you to store the master key in the Windows certificate store, which is only supported on the Windows OS. In this case, a Linux-based container will not be suitable because it lacks the feature to have the Windows certificate store.
AWS Fargate does support hosting Windows containers as well. For your application that is using the AlwaysEncrypted driver, you may consider hosting it on a Windows container. Refer to the Dockerfile code below, which will import and install the master key certificate and password. This process will then allow the driver to transparently encrypt sensitive data before passing it to the SQL Server engine and transparently decrypt data retrieved from encrypted database columns.
Please note that the example below is importing the certificate and password in a clear text file. You may consider integrating with AWS Secrets Manager or Systems Manager to retrieve them. Refer to https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html for more information.
FROM mcr.microsoft.com/dotnet/aspnet:7.0-windowsservercore-ltsc2019 AS base
WORKDIR /
# Import certificate and password. Not recommended for staging or production workloads.
COPY ./WebWIthAE/certs/AECert.pfx C:/certs/AECert.pfx
COPY ./WebWIthAE/certs/pwd.txt C:/certs/pwd.txt
# Install Always Encrypted cert to local Windows Certificate Store
RUN powershell.exe -Command "\
$pwd = ConvertTo-SecureString -String 'password' -Force -AsPlainText; \
Import-PfxCertificate -FilePath C:\certs\AECert.pfx -Password $pwd -CertStoreLocation Cert:\CurrentUser\My;\
Import-PfxCertificate -FilePath C:\certs\AECert.pfx -Password $pwd -CertStoreLocation Cert:\LocalMachine\My"
# Grant the read access to the cert
RUN powershell.exe -Command "\
$CertObj= Get-ChildItem Cert:\LocalMachine\my\1E91974116DA0F4415930F1A0B946CA2621A99CC; \
$rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($CertObj); \
$fileName = $rsaCert.key.UniqueName; \
$path = \"c:\programdata\microsoft\crypto\rsa\machinekeys"\$fileName\"; \
$permissions = Get-Acl -Path $path; \
$user = \"Everyone\"; \
$permission = \"read\"; \
$rule = new-object security.accesscontrol.filesystemaccessrule 'Everyone', 'read', allow; \
$permissions.AddAccessRule($rule); \
Set-Acl -Path $path -AclObject $permissions"
Relevant content
- asked 6 months ago
- Accepted Answerasked 14 days ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a month ago