Configure and use Always Encrypted with secure enclaves

Applies to: SQL Server 2019 (15.x) and later - Windows only Azure SQL Database

Always Encrypted with secure enclaves extends the existing Always Encrypted feature to enable richer functionality on sensitive data while keeping the data confidential. This article lists common tasks for configuring and using the feature.

For tutorials that show you how to quickly get started with Always Encrypted with secure enclaves, see:

• Getting started using Always Encrypted with secure enclaves

Set up the secure enclave and attestation

Before you can use Always Encrypted with secure enclaves, you need to configure your environment to ensure the secure enclave is available for the database. You might also need to set up enclave attestation, if applicable.

The process for setting up your environment depends on whether you're using SQL Server 2019 (15.x) and later or Azure SQL Database.

Set up the secure enclave and attestation in SQL Server

To set up Always Encrypted with secure enclaves without attestation, see:

• Plan for Always Encrypted with secure enclaves in SQL Server without attestation
• Configure the secure enclave in SQL Server

To set up Always Encrypted with secure enclaves and attestation, see:

• Plan for Host Guardian Service attestation
• Deploy the Host Guardian Service for SQL Server
• Register computer with the Host Guardian Service
• Configure the secure enclave in SQL Server

Set up the secure enclave and attestation in Azure SQL Database

For details, see the following articles:

• Plan for secure enclaves in Azure SQL Database
• Enable Always Encrypted with secure enclaves for your Azure SQL Database
• Configure Azure Attestation for your Azure SQL Database logical server

Important

VBS enclaves in Azure SQL Database do not support attestation. Configuring Azure Attestation only applies to Intel SGX enclaves.

Manage keys for Always Encrypted with secure enclaves

• Manage keys for Always Encrypted with secure enclaves - overview
• Provision enclave-enabled keys
• Rotate enclave-enabled keys

Configure columns with Always Encrypted with secure enclaves

• Configure column encryption in-place using Always Encrypted with secure enclaves - overview
• Configure column encryption in-place with Transact-SQL
• Configure column encryption in-place with PowerShell
• Configure column encryption in-place with DAC Package
• Enable Always Encrypted with secure enclaves for existing encrypted columns

Run Transact-SQL statements using secure enclaves

• Run Transact-SQL statements using secure enclaves
• Troubleshoot common issues for Always Encrypted with secure enclaves

Create and use indexes on enclave-enabled columns

• Create and use indexes on columns using Always Encrypted with secure enclaves

Develop applications using Always Encrypted with secure enclaves

• Develop applications using Always Encrypted with secure enclaves

See also

• Getting started using Always Encrypted with secure enclaves