Enable Always Encrypted with secure enclaves in Azure SQL Database

Applies to: Azure SQL Database

In Azure SQL Database, Always Encrypted with secure enclaves can use either Intel Software Guard Extensions (Intel SGX) enclaves or Virtualization-based Security (VBS) enclaves. For more information, see Plan for secure enclaves in Azure SQL Database.

For Intel SGX to be available, the database must use the vCore model and DC-series hardware.

Configuring the DC-series hardware to enable Intel SGX enclaves is the responsibility of the Azure SQL Database administrator. For more information, see Roles and responsibilities when configuring Intel SGX enclaves and attestation.


Intel SGX is not available in hardware configurations other than DC-series. For example, Intel SGX is not available for standard-series (Gen5) hardware, and it is not available for databases using the DTU model.


Before you configure the DC-series hardware for your database, check the regional availability of DC-series and make sure you understand its performance limitations. For more information, see DC-series.

For detailed instructions on how to configure a new or existing database to use a specific hardware configuration, see Hardware configuration.

Next steps

See also