Enable Always Encrypted with secure enclaves in Azure SQL Database

Applies to: Azure SQL Database

In Azure SQL Database, Always Encrypted with secure enclaves can use either Intel Software Guard Extensions (Intel SGX) enclaves or Virtualization-based Security (VBS) enclaves. For more information, see Plan for secure enclaves in Azure SQL Database.

Intel SGX enclaves

For Intel SGX to be available, the database must use the vCore model and DC-series hardware.

Configuring the DC-series hardware to enable Intel SGX enclaves is the responsibility of the Azure SQL Database administrator. For more information, see Roles and responsibilities when configuring Intel SGX enclaves and attestation.

Note

Intel SGX is not available in hardware configurations other than DC-series. For example, Intel SGX is not available for standard-series (Gen5) hardware, and it is not available for databases using the DTU model.

Important

Before you configure the DC-series hardware for your database, check the regional availability of DC-series and make sure you understand its performance limitations. For more information, see DC-series.

For detailed instructions on how to configure a new or existing database to use a specific hardware configuration, see Hardware configuration.

Next steps

• Configure Azure Attestation for your Azure SQL database server

VBS enclaves

Important

The VBS enclaves feature in Azure SQL Database is currently in preview. The Supplemental Terms of Use for Microsoft Azure Previews include additional legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability.

To enable a VBS enclave in your database, you need to set the preferredEnclaveType database property to VBS, which activates the VBS enclave for the database. You can set preferredEnclaveType when you create a new database or by updating an existing database.

Note

By default, a new database is created with preferredEnclaveType set to Default, which doesn't support VBS enclaves.

You can set the preferredEnclaveType using Azure PowerShell or the Azure CLI.

Enabling VBS enclaves with Azure PowerShell

Create a new database with a VBS enclave with the New-AzSqlDatabase cmdlet. The following example creates a serverless database with a VBS enclave.

New-AzSqlDatabase  -ResourceGroupName "ResourceGroup01" `
    -ServerName "Server01" `
    -DatabaseName "Database01" `
    -Edition GeneralPurpose `
    -ComputeModel Serverless `
    -ComputeGeneration Gen5 `
    -VCore 2 `
    -MinimumCapacity 2 `
    -PreferredEnclaveType VBS

To enable a VBS enclave for an existing database, use the Set-AzSqlDatabase cmdlet. Here's an example:

Set-AzSqlDatabase -ResourceGroupName "ResourceGroup01" `
    -DatabaseName "Database01" `
    -ServerName "Server01" `
    -PreferredEnclaveType VBS

Enabling VBS enclaves with Azure CLI

Create a new database with a VBS enclave with the az sql db create cmdlet. The following example creates a serverless database with a VBS enclave.

az sql db create -g ResourceGroup01 `
    -s Server01 `
    -n Database01 `
    -e GeneralPurpose `
    --compute-model Serverless `
    -f Gen5 `
    -c 2 `
    --min-capacity 2 `
    --preferred-enclave-type VBS 

To enable a VBS enclave for an existing database, use the az sql db update cmdlet. Here's an example:

az sql db update -g ResourceGroup01 `
    -s Server01 `
    -n Database01 `
    --preferred-enclave-type VBS

See also

• Getting started using Always Encrypted with secure enclaves