sp_describe_parameter_encryption (Transact-SQL)
Applies to: 
SQL Server 2016 (13.x) and later
Azure SQL Database
Azure SQL Managed Instance
Analyzes the specified Transact-SQL statement and its parameters, to determine which parameters correspond to database columns that are protected by using the Always Encrypted feature. Returns encryption metadata for the parameters that correspond to encrypted columns.
Syntax
sp_describe_parameter_encryption
[ @tsql = ] N'tsql'
[ , [ @params = ] N'@parameter_name data_type [ , ... n ]' ]
[ ; ]
Arguments
[ @tsql = ] 'tsql'
One or more Transact-SQL statements. @tsql might be nvarchar(n) or nvarchar(max).
[ @params = ] N'@parameter_name data_type [ ,... n ]'
@params provides a declaration string for parameters for @tsql, which is similar to sp_executesql. Parameters might be nvarchar(n) or nvarchar(max).
A string that contains the definitions of all parameters that are embedded in the Transact-SQL_batch. The string must be either a Unicode constant or a Unicode variable. Each parameter definition consists of a parameter name and a data type. n is a placeholder that indicates additional parameter definitions. n is a placeholder that indicates additional parameter definitions. Every parameter specified in the statement must be defined in @params. If the Transact-SQL statement or batch in the statement doesn't contain parameters, @params isn't required. NULL is the default value for this parameter.
Return value
0 indicates success. Anything else indicates failure.
Result set
sp_describe_parameter_encryption returns two result sets:
The result set describing cryptographic keys configured for database columns, the parameters of the specified Transact-SQL statement correspond to.
The result set describing how particular parameters should be encrypted. This result set references the keys described in the first result set.
Each row of the first result set describes a pair of keys: an encrypted column encryption key, and its corresponding column master key (CMK).
| Column name | Data type | Description |
|---|---|---|
column_encryption_key_ordinal |
int | ID of the row in the resultset. |
database_id |
int | Database ID. |
column_encryption_key_id |
int | The column encryption key ID. Note: this ID denotes a row in the sys.column_encryption_keys catalog view. |
column_encryption_key_version |
int | Reserved for future use. Currently, always contains 1. |
column_encryption_key_metadata_version |
binary(8) | A timestamp representing the creation time of the column encryption key. |
column_encryption_key_encrypted_value |
varbinary(4000) | The encrypted value of the column encryption key. |
column_master_key_store_provider_name |
sysname | The name of the provider for the key store that contains the CMK, which was used to produce the encrypted value of the column encryption key. |
column_master_key_path |
nvarchar(4000) | The key path of the CMK, which was used to produce the encrypted value of the column encryption key. |
column_encryption_key_encryption_algorithm_name |
sysname | The name of the encryption algorithm used to produce the encryption value of the column encryption key. |
Each row of the second result set contains encryption metadata for one parameter.
| Column name | Data type | Description |
|---|---|---|
parameter_ordinal |
int | ID of the row in the result set. |
parameter_name |
sysname | Name of one of the parameters specified in the @params argument. |
column_encryption_algorithm |
tinyint | Code indicating the encryption algorithm configured for the column the parameter corresponds to. The currently supported value is 2 for AEAD_AES_256_CBC_HMAC_SHA_256. |
column_encryption_type |
tinyint | Code indicating the encryption type configured for the column, the parameter corresponds to. The supported values are:0 - plaintext (the column isn't encrypted)1 - deterministic encryption2 - randomized encryption. |
column_encryption_key_ordinal |
int | Code of the row in the first result set. The referenced row describes the column encryption key configured for the column, the parameter corresponds to. |
column_encryption_normalization_rule_version |
tinyint | Version number of the type normalization algorithm. |
Remarks
A SQL Server client driver, supporting Always Encrypted, automatically calls sp_describe_parameter_encryption to retrieve encryption metadata for parameterized queries issued by the application. Then, the driver uses the encryption metadata to encrypt the values of parameters that correspond to database columns protected with Always Encrypted. It substitutes the plaintext parameter values submitted by the application, with the encrypted parameter values, before sending the query to the database engine.
Permissions
Require the VIEW ANY COLUMN ENCRYPTION KEY DEFINITION and VIEW ANY COLUMN MASTER KEY DEFINITION permissions in the database.
Examples
The following example truncates the value for ENCRYPTED_VALUE, for display purposes.
CREATE COLUMN MASTER KEY [CMK1]
WITH (
KEY_STORE_PROVIDER_NAME = N'MSSQL_CERTIFICATE_STORE',
KEY_PATH = N'CurrentUser/my/A66BB0F6DD70BDFF02B62D0F87E340288E6F9305'
);
GO
CREATE COLUMN ENCRYPTION KEY [CEK1]
WITH VALUES (
COLUMN_MASTER_KEY = [CMK1],
ALGORITHM = 'RSA_OAEP',
ENCRYPTED_VALUE = 0x016E00000163007500720072<...> -- truncated in this example
);
GO
CREATE TABLE t1 (
c1 INT ENCRYPTED WITH (
COLUMN_ENCRYPTION_KEY = [CEK1],
ENCRYPTION_TYPE = Randomized,
ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256'
) NULL,
);
EXEC sp_describe_parameter_encryption
N'INSERT INTO t1 VALUES(@c1)',
N'@c1 INT';
Here's the first result set:
| Column | Value |
|---|---|
column_encryption_key_ordinal |
1 |
database_id |
5 |
column_encryption_key_id |
1 |
column_encryption_key_version |
1 |
column_encryption_key_metadata_version |
0x99EDA60083A50000 |
column_encryption_key_encrypted_value |
0x016E00000163007500720072<...> |
column_master_key_store_provider_name |
MSSQL_CERTIFICATE_STORE |
column_master_key_path |
CurrentUser/my/A66BB0F6DD70BDFF02B62D0F87E340288E6F9305 |
column_encryption_key_encryption_algorithm_name |
RSA_OAEP |
Here's the second result set:
| Column | Value |
|---|---|
parameter_ordinal |
1 |
parameter_name |
@c1 |
column_encryption_algorithm |
1 |
column_encryption_type |
1 |
column_encryption_key_ordinal |
1 |
column_encryption_normalization_rule_version |
1 |