When using Always Encrypted in SQL Server 2016, how do I as the DBA view the data?

The short answer is, you don’t.

The entire point of Always Encrypted is that the DBA can’t view or modify the data using SQL Server Management Studio. The only way to view and change the data is by using the front end application that created the data. This means that if someone submits a ticket to your team to change some data, you won’t be able to. You’ll have to refer that ticket back to someone in the business to have them make the change using the application just like a normal user would as you can’t touch the data.


The post When using Always Encrypted in SQL Server 2016, how do I as the DBA view the data? appeared first on SQL Server with Mr. Denny.


One Response

  1. In a proper environment, thats true. However, if the DBA gets a copy of the certificate, then he just needs to add “Column Encryption Setting=enabled” to SSMS. I’ve been told (and will verify by Philly) that as of RC3 you actually need the certificate on the server so if the DBA has local admin on the OS hosting the server, they could get the certificate in most scenarios.

    Its definitely possible to prevent the DBA from getting the certificate, and its probably possible (read: I never tried, but its my understanding) to use azure key store in such a way that the only people with access to the keys don’t have access to the database.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Trust DCAC with your data

Your data systems may be treading water today, but are they prepared for the next phase of your business growth?