Events
Mar 31, 11 PM - Apr 2, 11 PM
The biggest SQL, Fabric and Power BI learning event. March 31 – April 2. Use code FABINSIDER to save $400.
Register todayConfigure column encryption in-place using Always Encrypted with secure enclaves
Applies to: 
SQL Server 2019 (15.x) and later - Windows only
Azure SQL Database
Always Encrypted with secure enclaves supports cryptographic operations on database columns in-place - inside a secure enclave in the Database Engine. In-place encryption eliminates the need to move the data for such operations outside of the database, making the cryptographic operations faster and more reliable.
Note
Despite the performance benefits of in-place encryption, cryptographic operations on large tables can take a long time and consume substantial resources, potentially impacting and degrading performance and availability of your applications.
In-place encryption makes it also possible to trigger cryptographic operations using the ALTER TABLE ALTER COLUMN (Transact-SQL) statement, which isn't possible without an enclave.
The supported cryptographic operations and the requirements for column encryption key(s), used for the operations, are:
- Encrypting a plaintext column. The column encryption key used to encrypt the column must be enclave-enabled.
- Re-encrypting an encrypted column using a new encryption type or/and a new column encryption key. Both the current column encryption key and the new column encryption key (if different than the current key) must be enclave-enabled.
- Decrypting an encrypted column - the column encryption key, protecting the column, must be enclave-enabled.
For information on how to ensure your column encryption keys are enclave-enabled, see Manage keys for Always Encrypted with secure enclaves.
You also need to ensure that your environment meets the general Prerequisites for running statements using secure enclaves.
A user or an application triggering cryptographic operations must have permissions to make schema changes on the table containing the impacted columns and to access column master keys involved in the operations, and relevant key metadata in the database.
You can trigger in-place encryption using one of the following methods:
- ALTER TABLE ALTER COLUMN (Transact-SQL) from SQL Server Management Studio or your custom application. See Configure column encryption in-place with Transact-SQL.
- The Always Encrypted wizard
- The Set-SqlColumnEncryption cmdlet. See Configure column encryption in-place with PowerShell.
- A data-tier application (DAC) package. See Configure column encryption in-place with DAC package.
Additional resources
Training
Certification
Microsoft Certified: Azure Database Administrator Associate - Certifications
Administer an SQL Server database infrastructure for cloud, on-premises and hybrid relational databases using the Microsoft PaaS relational database offerings.
Documentation
-
Run Transact-SQL statements using secure enclaves - SQL Server
Run Data Definition Language (DDL) statements to configure encryption for your column or manage indexes on encrypted columns, and query encrypted columns
-
Provision enclave-enabled keys - SQL Server
Provision enclave-enabled keys
-
Manage keys for Always Encrypted with secure enclaves - SQL Server
Manage keys for Always Encrypted with secure enclaves