14,494 questions
I suggest you read this, it describes your exact issue:
https://www.mssqltips.com/sqlservertip/4011/sql-server-2016-always-encrypted/
Need Resolution for SQL query using Always encrypted field
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 45%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Sangram Bakshi
1
Reputation point
We are working on Always Encrypt SQLServer 2017
To start with Followed following instructions to create tables
https://www.mssqltips.com/sqlservertip/4011/sql-server-2016-always-encrypted/
So for example :
Query 1 : Need information to query data on a table using Always Encrypted field using WHERE
- Created table as :
exec sp_addtype SmStringReqN, "nvarchar(255)", "NOT NULL"
go
CREATE TABLE SmUser (
UserID int
ENCRYPTED WITH
(
ENCRYPTION_TYPE = DETERMINISTIC,
ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256',
COLUMN_ENCRYPTION_KEY = ColumnKey
) NOT NULL,
Name int
ENCRYPTED WITH
(
ENCRYPTION_TYPE = DETERMINISTIC,
ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256',
COLUMN_ENCRYPTION_KEY = ColumnKey
) NOT NULL,
Password SmStringReqN,
LastName SmStringReqN,
FirstName SmStringReqN,
EmailAddress SmStringReqN,
TelephoneNumber SmStringReqN,
Disabled SmStringReqN,
PIN SmStringReqN,
Mileage int NOT NULL,
PasswordData varchar(2000) NOT NULL,
PRIMARY KEY (UserID)
)
go
Populated Data as :
DECLARE @UserID AS int = 1 ; DECLARE @DeezNutz AS int = 105 ; INSERT INTO .[dbo].[SmUser] VALUES (@UserID,@DeezNutz ,'user1','User','Super','******@mycompany.com','100','0', '1111', 1234,' ');
go
Now We want to retrieve data using the encrypted field say Name using WHERE
So as we try something like this :
SELECT * FROM .[dbo].[SmUser] WHERE [Name]=105, CONVERT(int, DecryptByKey('ColumnKey'));
Observing error :
Line 24, column 47
Incorrect syntax near ,.
Completion time: 2022-04-12T14:59:47.5175128+05:30
Or if we try something like this
We Observe error :
SELECT Name FROM .[dbo].[SmUser] WHERE ([Name]=105);
OR
SELECT * FROM .[dbo].[SmUser] WHERE ([Name]=105);
Msg 206, Level 16, State 2, Line 26
Operand type clash: tinyint is incompatible with tinyint encrypted with (encryption_type = 'DETERMINISTIC', encryption_algorithm_name = 'AEAD_AES_256_CBC_HMAC_SHA_256', column_encryption_key_name = 'ColumnKey', column_encryption_key_database_name = 'sampleuser')
Msg 206, Level 16, State 2, Line 26
Need Information on how we can achieve this.
Query 2 :
We observe Always Encrypted does not supports strings , user defined variables as mentioned in following link
We also tried to test it by trying to create tables with string type and usedefined types , but we observe error in doing so.
Summarizing : Do confirm some information on this.
- Does Always Encrypts supports only int type or does it supports varchar and other types also. Please send the list of supported types
- We want to fetch data from table using WHERE clause with encrypted column name. To fetch data using encrypted columns, please suggest/provide single query
SQL Server | Other
4 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 1%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETP%3C/text%3E%3C/svg%3E)
Tom Phillips 17,771 Reputation points2022-04-21T18:47:18.283+00:00 -
Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator2022-04-19T21:59:03.717+00:00 Always Encrypted is a feature that people often get problem with, because they have expectations that do not match how the feature work.
It is very important to understand that with Always Encrypted, all encryption and decryption occur client-side. SQL Server knows where the encryption key is located and that the value is encrypted. But you cannot decrypt or encrypt the value in SQL Server. And that's a very important promise for Always Encrypted: to hide data for the DBA.
SELECT * FROM .[dbo].[SmUser] WHERE [Name]=105, CONVERT(int, DecryptByKey('ColumnKey'));
Apart from the syntax error, the function DecryptByKey has no relation to Always Encrypted. This function relates to the old-style cell encryption in SQL 2005.
DECLARE @UserID AS int = 1 ; DECLARE @DeezNutz AS int = 105 ; INSERT INTO .[dbo].[SmUser] VALUES > (@UserID,@DeezNutz ,'user1','User','Super','******@mycompany.com','100','0', '1111', 1234,' ');
This works in SSMS, provided that you have checked "Enable Parameterization in Always Encrypted" in SSMS, and also provided the appropriate connection string key word in the Connection dialog. In this case, SSMS will re-interpet the code and replace this with parameterised statements. The encryption still occurs client-side. The precondition here is that use variables.
So this does not work:
SELECT Name FROM .[dbo].[SmUser] WHERE ([Name]=105);
It needs to be:
DECLARE @id int = 105 SELECT Name FROM .[dbo].[SmUser] WHERE ([Name]=@idDoes Always Encrypts supports only int type or does it supports varchar and other types also. Please send the list of supported types
I don't recall if there any types that are not supported, but all common types certainly are supported.
But what you need to wrap your head around is that all encryption occurs client-side. And hat is why a condition like Name = 105 does not work. You cannot compare a number to a random sequence of bytes. And SQL Server knows that it is random bytes.
And keep in mind that what you see in SSMS is just something make it possible for the DBA to perform data maintenance. In your application you cannot things like that. All values must be passed as parameters.
-
Sangram Bakshi 1 Reputation point
2022-04-20T04:03:38.363+00:00 @Erland Sommarskog : Thanks for your inputs .
@Regarding restrictions for always encrypt for data types , the following article mentions the restrictions
https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver15I was also not able to create tables when applied always encrypt to string data types and user defined data type. I was able to create tables only with int data type .Any more information on this.
-
Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator
2022-04-20T21:28:55.637+00:00 For string columns, you need to have a BIN2 collation. This example is in the article:
CREATE TABLE Customers ( CustName nvarchar(60) COLLATE Latin1_General_BIN2 ENCRYPTED WITH (COLUMN_ENCRYPTION_KEY = MyCEK, ENCRYPTION_TYPE = RANDOMIZED, ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256'), SSN varchar(11) COLLATE Latin1_General_BIN2 ENCRYPTED WITH (COLUMN_ENCRYPTION_KEY = MyCEK, ENCRYPTION_TYPE = DETERMINISTIC , ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256'), Age int NULL );This requirements very much makes sense, since once the data is encrypted, there is no way that SQL Server can apply case/accent/etc-insensitivity and other Unicode rules.
Sign in to comment -
-
Sangram Bakshi 1 Reputation point
2022-04-21T16:54:33.903+00:00 Thanks for your inputs .
So if we conclude that it is not possible to run a single line query like to get the result where (Name is teh encrypted field) , it is correct to believe so.
SELECT * FROM .[dbo].[SmUser] WHERE [Name]=105, CONVERT(int, DecryptByKey('ColumnKey'));
or
SELECT Name FROM .[dbo].[SmUser] WHERE [Name]=105, CONVERT(int, DecryptByKey('ColumnKey'));or
SELECT Name FROM .[dbo].[SmUser] WHERE [Name]=105Or is it possible to have anything alternate so that we can get the required result using a single line query .
Basically need a query using WHERE name = <value > . (So going by your earlier information looks like this cannot be achieved).
Do let know if any final inputs regarding this.Regards
Sangram-
Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator
2022-04-21T21:09:55.33+00:00 Correct, the query must be
SELECT * FROM dbo.SmUser WHERE Name=@nameThat is, you cannot query by a constant value, it must be a parameter with a value coming from the client.
The link that Tom provided gives a good introduction on how to work with Always Encrypted.
Sign in to comment -