Configure the secure enclave in SQL Server
Applies to: 
SQL Server 2019 (15.x) and later - Windows only
Before you can use Always Encrypted with secure enclaves in SQL Server, you need to configure your instance to initialize the secure enclave during startup. By default, SQL Server doesn't initialize the secure enclave. You can change that by setting the column encryption enclave type Server Configuration Option to the value that represents a valid enclave type for your environment.
Note
The role responsible for configuring the secure enclave is the DBA. See Roles and responsibilities when configuring attestation with HGS.
The supported enclave type for SQL Server 2019 (15.x) or later is virtualization based security (VBS). Before configuring the VBS enclave type, make sure the computer hosting your instance meets the requirements stated in:
- Plan for Always Encrypted with secure enclaves in SQL Server without attestation (if you're using Always Encrypted with secure enclaves without attestation)
- Plan for Host Guardian Service attestation (if you're using the feature with attestation).
For detailed instructions on how to configure the enclave type, see Configure the enclave type for Always Encrypted Server Configuration Option.
Next steps
Manage keys for Always Encrypted with secure enclaves
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for