I am in the process of rolling out SQL Always Encrypted to our Databases and have a query about the Best practice approach to storing the certificate for the CMK.
We have .Net web applictions hosted on a Windows server 2016 box, which each have a distinct AD service account (SA) assigned as their Application Pool ID. We have a SQL server instance on a separate server. This approach allows us to segregate and restrict access per application to the database and is working well.
I don't want to import the CMK cert to the local machine Windows Certificate store, as that would mean all users on the server, primarily the server admins, would have the access to the cert and thus the ability to decrypt the data in the database.
I have currently signed on to the server as the SA and installed the cert under local user. This is the most secure option I can think of, as ONLY the SA is able to decrypt the information, which in turn means only the Application can decrypt the data and no other users can. The issue I'm facing with this approach however is the SA seemingly needs to be logged in to the server all the time, which isn't a feasible long term solution (if the server gets rebooted, the account will be logged off and my application will fail)
Has anyone found any official Microsoft Guidance on where the best place to store the CMK securely is?
Many Thanks
