Update create-asymmetric-key-transact-sql.md | RSA-HSM support in SQL 2022 (#33839)

hubutler · web-flow · commit 3f6fcf3b3b29 · 2025-04-22T13:24:07.000-04:00
* Update create-asymmetric-key-transact-sql.md

related to IcM 618554163.  when using Azure Key Vault Managed HSM you can create keys with algorithm RSA-HSM but this is only supported starting in SQL server 2022. this is otherwise not documented anywhere and I had a case where a customer was trying to use it in SQL 2017, which is not supported.

* Update setup-steps-for-extensible-key-management-using-the-azure-key-vault.md

adding a note to say we can only use RSA-HSM_2048 and RSA-HSM_3072 starting in SQL 2022. related to IcM 618554163
diff --git a/docs/relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault.md b/docs/relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault.md
@@ -389,6 +389,8 @@ In [step 2](#step-2-create-a-key-vault), we learned how to create a key vault an
    > [!NOTE]
    > When creating a credential to access the Managed HSM, the identity is `<name of Managed HSM>.managedhsm.azure.net`, which can be found in the Azure Key Vault Managed HSM **Overview** as the **HSM URI** in the Azure portal.
    >
+   > Algorithm RSA-HSM_2048 and RSA-HSM_3072 are supported starting in SQL Server 2022 (16.x).
+   > 
    > Automatic key rotation is supported in Azure Key Vault Managed HSM. For more information, see [Configure key auto-rotation in Azure Managed HSM](/azure/key-vault/managed-hsm/key-rotation).
    >
    > [SQL Server Connector version 15.0.2000.440](https://www.microsoft.com/en-us/download/details.aspx?id=45344) or later is required to support Azure Key Vault Managed HSM.
diff --git a/docs/t-sql/statements/create-asymmetric-key-transact-sql.md b/docs/t-sql/statements/create-asymmetric-key-transact-sql.md
@@ -98,6 +98,8 @@ CREATE ASYMMETRIC KEY asym_key_name
  Five algorithms can be provided; RSA_4096, RSA_3072, RSA_2048, RSA_1024, and RSA_512.  
   
  RSA_1024 and RSA_512 are deprecated. To use RSA_1024 or RSA_512 (not recommended) you must set the database to database compatibility level 120 or lower.  
+
+ Starting in SQL Server 2022 (16.x), RSA-HSM_2048 and RSA-HSM_3072 are supported.
   
  PROVIDER_KEY_NAME = '*key_name_in_provider*'  
  Specifies the key name from the external provider.  

Original file line number	Diff line number	Diff line change
`@@ -389,6 +389,8 @@ In [step 2](#step-2-create-a-key-vault), we learned how to create a key vault an`
`389`	`389`	`> [!NOTE]`
`390`	`390`	> When creating a credential to access the Managed HSM, the identity is `<name of Managed HSM>.managedhsm.azure.net`, which can be found in the Azure Key Vault Managed HSM Overview as the HSM URI in the Azure portal.
`391`	`391`	`>`
	`392`	`+ > Algorithm RSA-HSM_2048 and RSA-HSM_3072 are supported starting in SQL Server 2022 (16.x).`
	`393`	`+ >`
`392`	`394`	`> Automatic key rotation is supported in Azure Key Vault Managed HSM. For more information, see [Configure key auto-rotation in Azure Managed HSM](/azure/key-vault/managed-hsm/key-rotation).`
`393`	`395`	`>`
`394`	`396`	`> [SQL Server Connector version 15.0.2000.440](https://www.microsoft.com/en-us/download/details.aspx?id=45344) or later is required to support Azure Key Vault Managed HSM.`