Plan for Intel SGX enclaves and attestation in Azure SQL Database
Applies to: Azure SQL Database
Plan for Intel SGX in Azure SQL Database
Intel SGX is a hardware-based trusted execution environment technology. Intel SGX is available for databases that use the vCore model and DC-series hardware. Therefore, to ensure you can use Always Encrypted with secure enclaves in your database, you need to either select the DC-series hardware when you create the database, or you can update your existing database to use the DC-series hardware.
Intel SGX is not available in hardware other than DC-series. For example, Intel SGX is not available for standard-series (Gen5) hardware, and it is not available for databases using the DTU model.
Before you configure the DC-series hardware for your database, check the regional availability of DC-series and make sure you understand its performance limitations. For details, see DC-series.
Plan for attestation in Azure SQL Database
Microsoft Azure Attestation is a solution for attesting Trusted Execution Environments (TEEs), including Intel SGX enclaves in Azure SQL databases using DC-series hardware.
To use Azure Attestation for attesting Intel SGX enclaves in Azure SQL Database, you need to create an attestation provider and configure it with the Microsoft-provided attestation policy. See Configure attestation for Always Encrypted using Azure Attestation
Roles and responsibilities when configuring SGX enclaves and attestation
Configuring your environment to support Intel SGX enclaves and attestation for Always Encrypted in Azure SQL Database involves setting up components of different types: Microsoft Azure Attestation, Azure SQL Database, and applications that trigger enclave attestation. Configuring components of each type is performed by users assuming one of the below distinct roles:
- Attestation administrator - creates an attestation provider in Microsoft Azure Attestation, authors the attestation policy, grants Azure SQL logical server access to the attestation provider, and shares the attestation URL that points to the policy to application administrators.
- Azure SQL Database administrator - enables SGX enclaves in databases by selecting the DC-series hardware, and provides the attestation administrator with the identity of the Azure SQL logical server that needs to access the attestation provider.
- Application administrator - configures applications with the attestation URL obtained from the attestation administrator.
In production environments (handling real sensitive data), it is important your organization adheres to role separation when configuring attestation, where each distinct role is assumed by different people. In particular, if the goal of deploying Always Encrypted in your organization is to reduce the attack surface area by ensuring Azure SQL Database administrators cannot access sensitive data, Azure SQL Database administrators should not control attestation policies.
Submit and view feedback for