| description | Configure column encryption in-place using Always Encrypted with secure enclaves | |
|---|---|---|
| title | Configure column encryption in-place using Always Encrypted with secure enclaves | Microsoft Docs | |
| ms.custom |
|
|
| ms.date | 05/24/2022 | |
| ms.prod | sql | |
| ms.prod_service | database-engine, sql-database | |
| ms.reviewer | vanto | |
| ms.technology | security | |
| ms.topic | conceptual | |
| author | jaszymas | |
| ms.author | jaszymas | |
| monikerRange | >= sql-server-ver15 |
[!INCLUDE sqlserver2019-windows-only-asdb]
Always Encrypted with secure enclaves supports cryptographic operations on database columns in-place - inside a secure enclave in the [!INCLUDEssde-md]. In-place encryption eliminates the need to move the data for such operations outside of the database, making the cryptographic operations faster and more reliable.
Note
Despite the performance benefits of in-place encryption, cryptographic operations on large tables can take a long time and consume substantial resources, potentially impacting and degrading performance and availability of your applications.
In-place encryption makes it also possible to trigger cryptographic operations using the ALTER TABLE ALTER COLUMN (Transact-SQL) statement, which isn't possible without an enclave.
The supported cryptographic operations and the requirements for column encryption key(s), used for the operations, are:
- Encrypting a plaintext column. The column encryption key used to encrypt the column must be enclave-enabled.
- Re-encrypting an encrypted column using a new encryption type or/and a new column encryption key. Both the current column encryption key and the new column encryption key (if different than the current key) must be enclave-enabled.
- Decrypting an encrypted column - the column encryption key, protecting the column, must be enclave-enabled.
See Manage keys for Always Encrypted with secure enclaves for information how to ensure your column encryption keys are enclave-enabled.
You also need ensure that your environment meets the general Prerequisites for running statements using secure enclaves.
A user or an application triggering cryptographic operations must have permissions to make schema changes on the table containing the impacted columns and to access column master keys involved in the operations, and relevant key metadata in the database.
You can only trigger in-place encryption using ALTER TABLE ALTER COLUMN (Transact-SQL) from SQL Server Management Studio or your custom application. See Configure column encryption in-place with Transact-SQL.
Note
Currently, the Always Encrypted wizard and the Set-SqlColumnEncryption cmdlet do not support in-place encryption, and always download the data for cryptographic operations, even if your configuration meets the above requirements.