How to get started with Always Encrypted for Beginners Part 4: Change is Coming

A few weeks ago, I wrote Part 1, 2 and 3 of this series, which was a beginner’s guide to Always Encrypted. In part 4, I am going to talk about the changes that are coming in vNext of SQL Server.

As I discussed in part 3 there are many roads blocks the can stop the implementation of Always Encrypted (AE). In the current available versions of SQL Server 2016 and 2017, along with Azure SQL Database, the cost of using AE was way too high for many companies. There are so many code changes needed to implement AE that moving to it is not cost effective for them. Microsoft recognizes this and has found a better way to handle things like aggregations, range comparison, LIKE predicates, ORDER BYs, and other search criteria with the introduction of Secure Enclaves.  For the client discussed in part 1-3 this will make all the difference.

Per MSDN “An enclave is a protected region of memory that acts as a trusted execution environment. An enclave appears as a black box to the containing process and to other processes running on the machine. There is no way to view the data or the code inside the enclave from the outside, even with a debugger.”

Now let’s translate that in English. It means that SQL Server will evaluate encrypted data in PLAIN TEXT while it is a protected region of memory. Just like non-encrypted data, we can now treat it just like anything else when querying it. This all takes place on the hardware. The process is a little complex to explain but in short SQL Server Engine processes its own enclave (a fancy word meaning a portion of territory) in memory where it loads encryption algorithms and required instructions to run the submitted SQL code. Then the SQL client sends the encryption keys, retrieved from a Windows Certificate or Azure Key vault, to the enclave over a secure channel to decrypt the data and process the queries in plain text. This is the only place that data is unencrypted. All result sets are sent back encrypted over that same secure channel and can only be viewed after decrypting the data again by using the keys.

This is a real game changer, in my opinion, that will really help spring board Always Encrypted to the most used encryption option in SQL Server. If you want to give this a try, it’s still in preview but you can sign up to try it out

For a more in-depth understanding of the hardware side of secure enclaves check out this paper


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Trust DCAC with your data

Your data systems may be treading water today, but are they prepared for the next phase of your business growth?