Questions tagged [always-encrypted]

Always Encrypted is a feature of Microsoft SQL Server 2016+ and Azure SQL Database, designed to protect sensitive data. It allows client applications to encrypt sensitive data without revealing the encryption keys to the database engine, so the data cannot be accessed either in flight on the wire or at rest on SQL Server.

Always Encrypted is a feature of Microsoft SQL Server 2016 and Azure SQL Database, designed to protect sensitive data. It allows client applications to encrypt sensitive data without revealing the encryption keys to the database engine, so the data cannot be accessed either in flight or at rest.

See MSDN for more details.

Encryption Keys

This is mainly focused on 2 Keys

Column Master Key (CMK)
Column Encryption Key (CEK)

CMK

Creates a column master key metadata object in a database. A column master key metadata entry that represents a key, stored in an external key store, which is used to protect (encrypt) column encryption keys when using the Always Encrypted (Database Engine) feature. Multiple column master keys allow for key rotation; periodically changing the key to enhance security. You can create a column master key in a key store and its corresponding metadata object in the database by using the Object Explorer in SQL Server Management Studio or PowerShell.

Types of Encryption

Deterministic Encryption
Randomized Encryption

Deterministic Encryption

Deterministic encryption always generates the same encrypted value for any given plaintext value. Using deterministic encryption allows point lookups, equality joins, grouping and indexing on encrypted columns. However, but may also allow unauthorized users to guess information about encrypted values by examining patterns in the encrypted column, especially if there is a small set of possible encrypted values, such as True/False, or North/South/East/West region. Deterministic encryption must use a column collation with a binary2 sort order for character column

Randomized Encryption

Randomized encryption uses a method that encrypts data in a less predictable manner. Randomized encryption is more secure, but prevents searching, grouping, indexing, and joining on encrypted columns.

How to generate ENCRYPTED_VALUE for CEK in SQL Server Always Encrypted

It is possible to generate ENCRYPTED_VALUE in different way than by SSMS? I like to enable "Always encrypted" feature for chosen columns but I am wondering about encrypting data by unknown key. In my oppinion there always should be way to decrypt…

asked Apr 04 '18 at 18:45

sglogowski

votes

1 answer

Using Always Encrypted with Entity Framework and Azure Key Vault

I've encrypted some columns in an Azure SQL Database, using Always Encrypted and a column master key stored in an Azure Key Vault, but I'm having trouble accessing them from my application using Entity Framework. There's a recent MSDN article and an…

sql-server entity-framework azure-keyvault always-encrypted

asked Jun 09 '16 at 17:45

Jonathan Sayce

9,359
5
37
51

votes

4 answers

.Net Core 5.0 - Sql Azure + Always Encrypted + Managed Identity

I have a Azure SQL Db with encrypted columns (Always Encrypted with Azure KeyVault). I can access this db from SSMS and I can see the decrypted data. I also have a web app made with .Net Core 5.0 which is deployed to Azure App Service. The app…

azure .net-core azure-sql-database azure-keyvault always-encrypted

asked Dec 11 '20 at 04:35

AlexB

4,167
4
45
117

votes

2 answers

Failed to decrypt a column encryption key using key store provider: 'AZURE_KEY_VAULT'

I've used Always encrypted for a database table column on a DB on Azure. I've gone through this article - https://learn.microsoft.com/en-us/azure/sql-database/sql-database-always-encrypted-azure-key-vault - followed it very carefully. I have…

sql-server azure encryption azure-keyvault always-encrypted

asked Aug 31 '19 at 04:56

M.R.

4,737
3
37
81

votes

0 answers

How to pass always encrypted column values to SSIS package parameters

I have password stored in a SQL Server table that is "always encrypted" (deterministic). I have a SSIS package that has a package level parameter called "parmPassword". I am trying to use that encrypted column value to set the default SSIS parameter…

sql-server ssis always-encrypted

asked May 08 '19 at 21:23

MikB

votes

1 answer

How to read SQL Always-encrypted column from classic ASP

I maintain a classic ASP app (yeah, I know, we're working on it) and need to access Always Encrypted columns in SQL 2017. I've imported the cert and tested in SSMS and PowerShell and that much works. The best I've been able to do in ASP is to get…

sql-server asp-classic always-encrypted

asked Apr 17 '19 at 21:48

Len

votes

0 answers

SQL Server Always Encrypted - Maximum number of parameters

I have a SQL Server 2016 database with "Always Encrypted" set to on. We have multiple encrypted columns and a stored procedure that handles updates. CREATE PROCEDURE UpdateRecord @ID INT, @EncryptedParameter01 NVARCHAR(255) = NULL, …

sql sql-server stored-procedures parameters always-encrypted

asked Jun 25 '18 at 11:01

Matthew Baker

2,637
4
24
49

votes

2 answers

How to query data when columns are encrypted in SQL Server 2016

I've been trying to find solution in this problem. I encrypted my columns from my database in SQL Server 2016 . In order to read the data I already set the parameters "Column Encryption Setting=Enabled"; I know I don't have problem in my certificate…

c# sql encryption sql-server-2016 always-encrypted

asked Jun 06 '18 at 18:07

April

votes

2 answers

How to insert values into a table in sql 2016 whose columns are always encrypted?

I have encrypted few columns in sql 2016 table using column encryption. Now I want to Insert data into that table. I tried creating a stored procedure and executing that procedure with parameters but I am getting following error. Encryption scheme…

c# sql-server entity-framework always-encrypted

asked Jun 20 '17 at 15:44

user3775287

votes

3 answers

Operand type clash: varchar is incompatible with varchar(50) trying to insert in encrypted database

I am getting a SqlException: Operand type clash: varchar is incompatible with varchar(50) encrypted with (encryption_type = 'DETERMINISTIC', encryption_algorithm_name = 'AEAD_AES_256_CBC_HMAC_SHA_256', column_encryption_key_name = …

c# asp.net sql-server encryption always-encrypted

asked Oct 26 '16 at 15:36

Mulana Monova

votes

2 answers

Does SQL Server 2016 Express support Always Encrypted?

Is SQL Server's new encryption "at rest and in motion" feature available in the Express version of SQL Server 2016?

.net sql-server sql-server-express sql-server-2016 always-encrypted

asked Apr 26 '16 at 13:46

stovroz

6,835
2
48
59

votes

2 answers

Can an admin see encrypted data with SQL Server 2016 always encrypted feature?

This looks a very nice feature, but what I understood its that only the app can see the unencrypted text of the columns, right? Is it possible that the admin with a SQL query can see the unencrypted data? or does it have to be always from the…

sql sql-server sql-server-2016 always-encrypted

asked Jan 06 '16 at 14:08

Luis Valencia

32,619
93
286
506

votes

2 answers

Retrieving encrypted column 'xxx' with CommandBehavior=SequentialAccess is not supported

I have setup a Azure SQL Database and enabled Always Encrypted. One of the column (column3) is varchar(Max). When I query the database from SSMS without using "column encryption setting=enabled", I can see that all the columns have binary data. When…

sql-server encryption sql-server-2016 azure-sql-database always-encrypted

asked Dec 18 '15 at 04:18

Asdfg

11,362
24
98
175

votes

3 answers

Increase validity of Always Encrypted Certificate

I am using SQL Server's Always Encrypted feature to encrypt a few columns in the database using a master key that is protected by a self-signed certificate. The certificate is created using SQL 2016's Management Studio and always defaults to an…

azure-sql-database sql-server-2016 self-signed always-encrypted

asked Dec 02 '15 at 16:11

F.S.

votes

1 answer

Updating/inserting into a table with Always Encrypted columns using EF Core 5

I'm having trouble using Entity Framework Core 5 with the "Always Encrypted" feature in a ASP.NET Core 5 API. I've configured an Azure Key Vault and updated the connection string as necessary. I can read encrypted column data successfully, with code…

sql-server entity-framework-core savechanges always-encrypted

asked Apr 09 '21 at 18:51

SpinDoctor

Prev 1

…

19 20 Next