Edit

sp_enclave_send_keys (Transact-SQL)

  • Article

Applies to: SQL Server 2019 (15.x) and later - Windows only

Sends columns encryption keys, defined in the database, to the server-side secure enclave used with Always Encrypted with secure enclaves.

sp_enclave_send_keys only sends only the keys that are enclave-enabled and encrypt columns that use randomized encryption and have indexes. For a regular user query, a client driver provides the enclave with the keys needed for computations in the query. sp_enclave_send_keys sends all column encryption keys defined in the database and used for indexes encrypted columns.

sp_enclave_send_keys provides an easy way to send keys to the enclave and populate the column encryption key cache for subsequent indexing operations. Use sp_enclave_send_keys to enable:

  • A DBA to rebuild or alter indexes or statistics on encrypted database columns, if the DBA doesn't have access to the column master key(s). See Invoke indexing operations using cached column encryption keys.

  • SQL Server to complete the recovery of indexes on encrypted columns. See Database Recovery.

  • An application using .NET Framework Data Provider for SQL Server to bulk load data to encrypted columns.

To successfully invoke sp_enclave_send_keys, you need to connect to the database with Always Encrypted and enclave computations enabled for the database connection. You also need to have access to column master keys, protecting the column encryption keys, you're going to send, and you need permissions to access Always Encrypted key metadata in the database.

Syntax

sp_enclave_send_keys
[ ; ]

Arguments

This stored procedure has no arguments.

Return value

This stored procedure has no return value.

Result set

This stored procedure has no result sets.

Permissions

Require the VIEW ANY COLUMN ENCRYPTION KEY DEFINITION and VIEW ANY COLUMN MASTER KEY DEFINITION permissions in the database.

Examples

EXEC sp_enclave_send_keys;

Related content