This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 4%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENH%3C/text%3E%3C/svg%3E)
Struggling with an issue in SSDT when deploying seed data to a table that has AlwaysEncrypted Enabled.
SQL Server 2019 Enterprise Windows Server 2016 Data Center Visual Studio 2019 Community Edition 16.7.2 (current release as of this post)
Column Master Key, Column Encryption Keys, and Column definions are in project, and DB deploys without issue. Here is the post deployent script:
SET IDENTITY_INSERT DBO.Table1 ON
IF NOT EXISTS (SELECT * FROM DBO.Table1 WHERE Table1ID = 0)
BEGIN
--need to parameterize values for always encrypted columns
declare @fname nvarchar(20) = ''
declare @lname nvarchar(25) = ''
INSERT INTO DBO.Table1 (Table1ID, [FirstName], [LastName], [DateOfBirth] )
VALUES (0,@fname,@lname,'2999-09-09')
END
SET IDENTITY_INSERT DBO.Table1 OFF
When executing this directly in SSMS with the AlwaysEncrypted flag set, the insert is successfully. This is true for both in normal and SQLCMD modes.
When publishing with SSDT via a published profile, I get the following error:
(101,1): SQL72014: .Net SqlClient Data Provider: Msg 33277, Level 16, State 6, Line 13 Encryption scheme mismatch for columns/variables '@fname'. The encryption scheme for the columns/variables is (encryption_type = 'PLAINTEXT') and the expression near line '13' expects it to be DETERMINISTIC, or PLAINTEXT. (89,0): SQL72045: Script execution error. The executed script:
Doing a bit of research, it appears as if the connection string setting "Column Encryption Setting=Enabled" Isn't set in the publish profile. I get the same error if I try running the generated deployment script in SSMS without the AlwaysEncrypted flag set. Trying to set this through the UI, it reverts back to 'Disabled' and won't save no matter what I do. I then try to save it directly to the publish profile XML, rather that through the UI, and while it does save, the error doesn't change.
I try executing the generated deployment script from SSDT in SSMS with SQLCMD mode enabled and the AlwaysEncrypted flag set = true and interestingly, I get a different error. That error is:
An error occurred while executing batch. Error message is: ExecuteReader: CommandText property has not been initialized
Questions:
Thank you for the help.
Nathan
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 1%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETP%3C/text%3E%3C/svg%3E)
Tom,
Appreciate the articles, but they both reference SSMS, which is working.
The issue I'm having is with the "Post-Deployment Scripts" in SQL Server data tools (SSDT). These are executed in SQLCMD mode and don't appear to be utilizing the "Column Encryption Setting = Enabled" configured in the publish profile. Additionally, I don't see a way to set the "Enable Paramateriation for Always Encrypted" in the SSDT publish profile like you have in SSMS.
Thoughts?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 18%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
I found the setting for the publish profile and made it work (for DML, not for encrypting existing data..), problem is - my post-deployment script is too big for parameterization.
I will have to try this. What version of SSDT are you using?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 3%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Usually the certificate for the Column Master Key is stored in the client machine, not on the SQL server machine. If that is the case, you are not able to insert data into the table with an Always Encrypted column.
The cert is installed on the machine I'm deploying from and I've validated I can insert from SSMS on the same machines. Other thoughts?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 98%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDL%3C/text%3E%3C/svg%3E)
I'm having this exact same issue. Has there been an update?