Add support to setup column master key for Always Encrypted

[tmasternak]

Overview

The action does not support setting up Always On Encryption, that would enable testing this mechanism in the integration tests for SQL Transport and SQL Persistence.

Details

SQL Transport and SQL Persistence both support Always Encrypted. This allows storing data in table columns encrypted at rest and decrypted when requested by a user with sufficient privileges.

Integration with .NET

When configured using the Column Encryption Key approach, the mechanism is transparent for any C# code that uses SqlParamters to construct and execute T-SQL queries (which is the case for the transport and the persister).

Manual Setup

Setting up, Column Encryption Key without Management Studio wizard is a non-trivial process and (roughly) consists of the following steps:

1. Add Column Encryption Setting=enabled to the connection string
2. Create a new (usually self-signed) certificate and store it either in the Windows Certificate Store or Azure Key Vault
3. Based on the certificate, a Column Master Encryption Key
4. Based on the Column Master Encryption Key, create a Column Encryption Key for a selected column that should be encrypted (e.g. Body for SQL Transport)

Challenges

Ideally, the action should set up the Always Encrypted mechanism and enable SQL Transport and SQL Persistence to use it in the acceptance tests. For this to work, at least these problems will likely need to be tackled:

1. It looks that, MS SQL Server running on Linux does not support any local certificate store. In such case, the certificate would need to be stored in Azure Vault instead. NOTE: this might not be true, as this article indicates it might be possible
2. For any given test, the column to be encrypted is known only by these tests (especially the table name). It is likely, that the actions would have to setup everything except Column Encryption Key and would need to pass the certificate's thumbprint to test to enable the key setup.