Share via

Configure the secure enclave in SQL Server

Applies to: SQL Server 2019 (15.x) and later - Windows only

Before you can use Always Encrypted with secure enclaves in SQL Server, you need to configure your instance to initialize the secure enclave during startup. By default, SQL Server doesn't initialize the secure enclave. You can change that by setting the column encryption enclave type Server Configuration Option to the value that represents a valid enclave type for your environment.


The role responsible for configuring the secure enclave is the DBA. See Roles and responsibilities when configuring attestation with HGS.

The supported enclave type for SQL Server 2019 (15.x) or later is virtualization based security (VBS). Before configuring the VBS enclave type, make sure the computer hosting your instance meets the requirements stated in:

For detailed instructions on how to configure the enclave type, see Configure the enclave type for Always Encrypted Server Configuration Option.

Next steps

Manage keys for Always Encrypted with secure enclaves

See also

Server Configuration Options (SQL Server)