HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

Troubleshoot the Vault EKM provider

Check windows event logs

Logs from the Vault EKM provider will appear in Windows Event Viewer under "Windows Logs" > "Application" with source "Transit Vault EKM Provider".

Enable trace logging

If the logs in the Event Viewer don't give enough information to help debug your issue, you can enable trace logging.

Restart SQL Server for the config change to take effect, and you should see more detailed logs in the same section of Windows Event Viewer.

Check SQL server error logs

If the Vault EKM provider is not generating event logs, you may find some information in the SQL Server's error logs. Check for an event with ID 17111 from "MSSQLSERVER" which details the file location of the error logs, for example "Logging SQL Server messages in file 'C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Log\ERRORLOG'."

Authenticode error

When running the CREATE CRYPTOGRAPHIC PROVIDER SQL query, if you get an error "Cannot load library", you may see "Failed to verify Authenticode signature on DLL" in the error logs. This can normally be remediated by updating the CA trust store to include the latest Digicert certificates. Run the following to import the required certificates into the Root trust store:

New-Item -ItemType Directory -Path certs
certutil -syncwithWU .\certs\
extrac32 -L .\certs\ .\certs\authrootstl.cab
certutil -f -ent -AddStore Root .\certs\authroot.stl
certutil -f -ent -AddStore Root .\certs\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43.crt
certutil -f -ent -AddStore Root .\certs\ddfb16cd4931c973a2037d3fc83a4d7d775d05e4.crt
Remove-Item -Recurse .\certs\

Error codes

During installation, the EKM provider registers a manifest of coded event logs to aid debugging. You may see the following error codes during operation.

2050 license error

The EKM provider reached Vault and evaluated the license response, but the Key Management Transparent Data Encryption feature is not present on the Vault license. Refer to the installation prerequisites for the required license feature.

2051 AppRole authentication failure

The EKM provider cannot authenticate with Vault. Verify that the Role ID and Secret ID you provided when configuring the SQL Server CREDENTIAL are correct. Refer to the installation instructions for an end-to-end working example.

2052 Vault connectivity failure

The EKM provider cannot connect to Vault. Check DNS resolution, network routing, TLS configuration, and general network access between the SQL Server host and the Vault server. Check the Vault audit logs to confirm whether any requests arrive from the SQL Server host.

2053 License status lookup failure

The EKM provider connected and authenticated successfully, but cannot retrieve the Vault license status. Verify that:

  • The policy assigned to the AppRole grants the read capability on the sys/license/status path. Refer to the tde-policy in the installation instructions for an example of a working policy.
  • Your Vault version exposes the /sys/license/status endpoint.
Edit this page on GitHub