Rediger

Del via


Configure column encryption in-place using Always Encrypted with secure enclaves

Applies to: SQL Server 2019 (15.x) and later - Windows only Azure SQL Database

Always Encrypted with secure enclaves supports cryptographic operations on database columns in-place - inside a secure enclave in the Database Engine. In-place encryption eliminates the need to move the data for such operations outside of the database, making the cryptographic operations faster and more reliable.

Note

Despite the performance benefits of in-place encryption, cryptographic operations on large tables can take a long time and consume substantial resources, potentially impacting and degrading performance and availability of your applications.

In-place encryption makes it also possible to trigger cryptographic operations using the ALTER TABLE ALTER COLUMN (Transact-SQL) statement, which isn't possible without an enclave.

Prerequisites

The supported cryptographic operations and the requirements for column encryption key(s), used for the operations, are:

  • Encrypting a plaintext column. The column encryption key used to encrypt the column must be enclave-enabled.
  • Re-encrypting an encrypted column using a new encryption type or/and a new column encryption key. Both the current column encryption key and the new column encryption key (if different than the current key) must be enclave-enabled.
  • Decrypting an encrypted column - the column encryption key, protecting the column, must be enclave-enabled.

For information on how to ensure your column encryption keys are enclave-enabled, see Manage keys for Always Encrypted with secure enclaves.

You also need to ensure that your environment meets the general Prerequisites for running statements using secure enclaves.

A user or an application triggering cryptographic operations must have permissions to make schema changes on the table containing the impacted columns and to access column master keys involved in the operations, and relevant key metadata in the database.

You can trigger in-place encryption using one of the following methods:

Next steps

See also