Always Encrypted

A SQL Server security feature that protects sensitive column data by encrypting it before it reaches the database engine, ensuring that neither DBAs nor SQL Server processes can access plaintext values.

  • Client-side key management: Always Encrypted stores encryption keys on the client side in a key store such as the Windows Certificate Store or Azure Key Vault. The SQL Server engine never has access to these encryption keys.
  • Encryption types: Always Encrypted supports two encryption methods: Deterministic, which always produces the same ciphertext for identical plaintext values and supports equality comparisons and joins, and Randomized, which provides stronger security but only supports full-column retrieval.
  • Common use cases: Always Encrypted is commonly used to protect highly sensitive data such as Social Security numbers, credit card numbers, healthcare record identifiers, and other information that must remain confidential, even from database administrators.
  • Secure Enclaves: Introduced in SQL Server 2019, Always Encrypted with Secure Enclaves enables additional operations on encrypted data, including range queries and pattern matching, within a trusted execution environment.
  • Application requirements: Applications must use Always Encrypted-enabled client drivers. The client application uses the column master key to transparently encrypt and decrypt data before sending it to or retrieving it from SQL Server.
  • Related terms: Transparent Data Encryption (TDE), Row-Level Security, Data Masking, Compliance.
SQL_Duck

Tired of Slow SQL Servers?

Find the root cause of performance issues in minutes, not hours. SQL Diagnostic Manager gives you real-time visibility and proactive alerts. 

Start your free trial today