»Troubleshooting the Vault EKM Provider

»Check Windows Event Logs

Logs from the Vault EKM provider will appear in Windows Event Viewer under "Windows Logs" > "Application" with source "Transit Vault EKM Provider".

»Enable trace logging

If the logs in the Event Viewer don't give enough information to help debug your issue, you can enable trace logging.

Restart SQL Server for the config change to take effect, and you should see more detailed logs in the same section of Windows Event Viewer.

»Error Codes

During installation, the EKM provider registers a manifest of coded event logs to aid debugging. You may see the following error codes during operation.

»2050 License Error

The EKM provider was unable to verify that Vault has the correct license features. This could be due to:

• An incompatible Vault Enterprise license - see the installation prerequisites for the required license feature.
• Lack of network connectivity - Check Vault's audit logs to see if any requests are made to authenticate via AppRole or query the /sys/license/status API.
• Misconfigured AppRole auth - Ensure you provided the correct Role ID and Secret ID when configuring the SQL Server CREDENTIAL. See the installation instructions for an end-to-end working example.
• Incorrect policy permissions - The EKM provider requires the read capability on the path sys/license/status. See the tde-policy created in the installation instructions for an example of a working policy.