| title | description | author | ms.author | ms.date | ms.service | ms.subservice | ms.topic | ms.custom | |
|---|---|---|---|---|---|---|---|---|---|
Security Limitations for SQL Server on Linux |
Learn about SQL Server on Linux restrictions, including how using keys stored in Azure Key Vault and extensible Key Management aren't supported. |
rwestMSFT |
randolphwest |
02/20/2025 |
sql |
linux |
conceptual |
|
[!INCLUDE SQL Server - Linux]
[!INCLUDE ssnoversion-md] on Linux currently has the following limitations:
- A standard password policy is provided.
MUST_CHANGEis the only option you can configure. When theCHECK_POLICYoption is enabled, it enforces only the default policy provided by [!INCLUDE ssnoversion-md], and doesn't apply the Windows password policies defined in the Active Directory group policies. - Extensible Key Management isn't supported in [!INCLUDE sssql22-md] CU 11 and earlier versions. Extensible Key Management is only supported through Azure Key Vault (AKV).
- [!INCLUDE ssnoversion-md] authentication mode can't be disabled.
- Password expiration is hard-coded to 90 days if you use [!INCLUDE ssnoversion-md] authentication.
- Using keys stored in the Azure Key Vault isn't supported in [!INCLUDE sssql22-md] CU 11 and earlier versions.
- [!INCLUDE ssnoversion-md] generates its own self-signed certificate for encrypting connections. [!INCLUDE ssnoversion-md] can be configured to use a user provided certificate for TLS.
Note
If you don't plan to connect your [!INCLUDE ssnoversion-md] containers to Windows Active Directory, the password expiration is hard-coded to 90 days, if you use [!INCLUDE ssnoversion-md] authentication only. To work around this issue, consider changing the CHECK_EXPIRATION policy.
For more information about security features available in [!INCLUDE ssnoversion-md], see the Security for SQL Server Database Engine and Azure SQL Database.
[!INCLUDE connect-with-sa]