always-encrypted-wizard.md

title	Encrypt, Re-Encrypt or Decrypt Columns using Always Encrypted Wizard | Microsoft Docs
ms.custom
ms.date	05/04/2016
ms.prod	sql
ms.reviewer	vanto
ms.technology	security
ms.topic	conceptual
f1_keywords	sql13.swb.alwaysencryptedwizard.encryption.f1 sql13.swb.alwaysencryptedwizard.f1 sql.swb.alwaysencryptedwizard.masterkey.f1
helpviewer_keywords	Wizard, Always Encrypted
ms.assetid	68daddc9-ce48-49aa-917f-6dec86ad5af5
author	jaszymas
ms.author	jaszymas
monikerRange	=azuresqldb-current||>=sql-server-2016||=sqlallproducts-allversions||>=sql-server-linux-2017||=azuresqldb-mi-current

Encrypt, Re-Encrypt or Decrypt Columns using Always Encrypted Wizard

[!INCLUDEappliesto-ss-asdb-xxxx-xxx-md]

The Always Encrypted Wizard is a powerful tool that allows you to set the desired Always Encrypted configuration for selected database columns. Depending on the current configuration and the desired target configuration, the wizard can encrypt a column, decrypt it (remove encryption), or re-encrypt it (for example, using a new column encryption key or an encryption type that is different from the current type, configured for the column). Multiple columns can be configured in a single run of the wizard.

The wizard allows you to encrypt columns with existing column encryption keys, or you can choose to generate a new column encryption key or both a new column encryption key and a new column master key.

• For an end-to-end walk-through that shows how to configure Always Encrypted with the wizard and use it in a client application, see the following Azure SQL Database tutorials:

  • Protect sensitive data in Azure SQL Database with Always Encrypted and column master keys in Windows certificate store
  • Protect sensitive data in Azure SQL Database with Always Encrypted and column master keys in Azure Key Vault

• For a video that includes using the wizard, see Keeping Sensitive Data Secure with Always Encrypted. Also, see the [!INCLUDEssNoVersion] Security Team blog SSMS Encryption Wizard - Enabling Always Encrypted in a Few Easy Steps.

• For information about Always Encrypted keys, see Overview of Key Management for Always Encrypted.

• For information about encryption types supported in Always Encrypted, see Selecting Deterministic or Randomized Encryption.

Permissions

To perform cryptographic operations using the wizard, you must have the VIEW ANY COLUMN MASTER KEY DEFINITION and VIEW ANY COLUMN ENCRYPTION KEY DEFINITION permissions. You also must have permissions to access column master keys, you are using, in the key stores holding the keys:

• Certificate Store - Local computer - you must have the Read access to the certificate that is used a column master key, or be the administrator on the computer.
• Azure Key Vault - you need the get, unwrapKey, and verify permissions on the vault containing the column master key.
• Key Store Provider (CNG) - you might be prompted for the required permission and credentials when using a key store or a key, depending on the store and the KSP configuration.
• Cryptographic Service Provider (CAPI) - you might be prompted for the required permission and credentials when using a key store or a key, depending on the store and the CSP configuration.

In addition, if you are creating new keys using the wizard, you must have additional permissions listed in Provision Column Master Keys with the New Column Master Key Dialog and Provision Column Encryption Keys with the New Column Encryption Key Dialog.

Open the Always Encrypted Wizard

You can launch the wizard at three different levels:

• At a database level - if you want to encrypt multiple columns located in different tables.
• At a table level - if you want to encrypt multiple columns located in the same table.
• At a column level - if you want to encrypt one specific column.

1. Connect to your [!INCLUDEssNoVersion] with the Object Explorer component of [!INCLUDEssManStudioFull].

2. To encrypt:

   1. Multiple columns located in different table in a database, right-click your database, point to Tasks, and then select Encrypt Columns.
   2. Multiple columns located in the same table, navigate to the table, right-click on it, and then select Encrypt Columns.
   3. An individual column, navigate to the column, right-click on it, and then select Encrypt Columns.

Column Selection Page

In this page, you select columns you want to encrypt, re-encrypt or decrypt, and you define the target encryption configuration for the selected columns.

To encrypt a plaintext column (a column that is not encrypted), select an encryption type (Deterministic or Randomized) and an encryption key for the column.

To change an encryption type or to rotate (change) a column encryption key for an already encrypted column, select the desired encryption type and the key.

If you want the wizard to encrypt or re-encrypt one or more columns using a new column encryption key, pick a key containing (New) in its name. The wizard will generate the key.

To decrypt a column that is currently encrypted, select Plaintext for the encryption type.

Note

The wizard does not support cryptographic operations on temporal and in-memory tables. You can create empty temporal or in-memory tables using Transact-SQL and insert data using your application.

Master Key Configuration Page

If you have selected an auto-generated column encryption key for any column on the previous page, in this page you need to either select an existing column master key or configure a new column master key that will encrypt the column encryption key.

When configuring a new column master key, you can either pick an existing key in Windows Certificate Store or in Azure Key Vault and have the wizard to create just a metadata object for the key in the database, or you can choose to generate both the key and the metadata object describing the key in the database.

For more information about creating and storing column master keys in Windows Certificate Store, Azure Key Vault or other key stores, see Create and Store Column Master Keys (Always Encrypted).

Tip

The wizard allows you to browse and create keys only in Windows Certificate Store and Azure Key Vault. It also auto-generates the names of both the new keys and the database metadata objects describing the keys. If you need more control for how your keys are provisioned (and more choices for a key store containing your column master key), you can use the New Column Master Key and New Column Encryption Key dialogs to create the keys first, and then run the wizard and pick the keys you have created. See Provision Column Master Keys with the New Column Master Key Dialog and Provision Column Encryption Keys with the New Column Encryption Key Dialog.

Next Steps

• Query Columns Protected with Always Encrypted using SQL Server Management Studio
• Develop Applications using Always Encrypted

See Also

• Always Encrypted
• Overview of Key Management for Always Encrypted
• Configure Always Encrypted using SQL Server Management Studio
• Provision Always Encrypted Keys using PowerShell
• Encrypt, Re-Encrypt or Decrypt Columns with Always Encrypted using PowerShell
• Encrypt, Re-Encrypt or Decrypt Columns by Publishing a DAC Package