SQL 2016 - It Just Runs Faster - AlwaysOn AES-NI Encryption

The SQL Server 2016, AlwaysOn, log transport takes advantage of hardware based encryption to significantly improve scale and performance.


SQL Server 2016 development efforts continued focusing on the AlwaysOn log shipping transport. Testing revealed that software based encryption, while fundamentally sound, could be improved using hardware based capabilities.


The exchange of information between AlwaysOn instances takes place over a message protocol. When encryption is configured the messages are encrypted and decrypted at the designated endpoints. Because the messages are delivered across a remote environment the overhead of encryption activities can increase the latency of the communications.


The AlwaysOn, log transport components detect if the hardware supports AES-NI encryption. Windows Server 2012 R2 and newer Windows versions support the Cryptography API and CRC activities. SQL Server determines the possible encryption support capabilities across primary and secondary instances and if AES-NI is appropriate leverages the AES-NI capabilities for the default endpoint configuration. Reference: CREATE ENDPOINT … AES


Note: Using Windows 2012 R2 or newer Windows version and AES defined endpoints enabled SQL Server 2014 or 2012 for AES-NI usage. SQL Server 2016 polished the endpoint creation, AES default, and instance validation capabilities.


'It Just Runs Faster' - SQL Server 2016 defaults endpoint creation to AES based encryption allowing hardware based AES-NI encryption. The hardware based capabilities improve Always On log shipping scalability and performance by a significant factor.


Steve Lindell- Principal SQL Server Software Engineer