Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!
Cloud Computing

Always Encrypted Reaches General Availability in Azure SQL Database


In today’s Ask the Admin, I’ll explain what Always Encrypted technology is in Microsoft SQL Server and how it works with Azure SQL Database.

As Brad Sams reported back in October 2015, Azure SQL Database – Microsoft’s SQL Server as a Service offering in the cloud – has received an upgrade with the addition of Always Encrypted technology.

Always Encrypted is a feature of SQL Server 2016, which also reached general availability recently on June 1, 2016, and protects sensitive data. Unlike other database encryption technologies, Always Encrypted allows data to be encrypted in the client application without sending the encryption keys to SQL Server, proving a separation of roles between data owners and those that are charged with managing the data. I.e., SQL Server administrators.

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

Always Encrypted can be useful in different scenarios, but has clearly been designed to allow organizations to store sensitive data on database servers that are not within their direct control, for instance, when SQL Server is hosted in the cloud. Because the encryption keys are never sent to the server, organizations can be sure that data stored in the cloud cannot be decrypted by unauthorized actors.

Transparent to client applications, Always Encrypted uses a driver installed on client computers that automatically encrypts and decrypts data as it passes between the server and client application, ensuring that no changes to queries are required for client applications to work with this new feature. At release, Always Encrypted is supported by the .NET Framework Data Provider for SQL Server, and JDBC and ODBC support is planned for the near future.

Scenarios suited to Always Encrypted include when an organization wants to hire a third-party to manage on-premise SQL servers. Encryption keys are stored in a location where the organization’s database client applications can access them, but can’t be accessed by admins hired to manage SQL Server. In the case of Azure SQL Database, Always Encrypted encryption keys can be stored in a trusted location on premise, preventing Microsoft employees from accessing organizational data stored in the cloud.

If the client app is hosted in the cloud, and data is stored in Azure SQL Database or SQL Server 2016 running in an Azure VM, Always Encrypted can be enabled but won’t provide the same level of isolation as when the client app is hosted on premise. But Microsoft says even though data and keys are accessible to Microsoft staff administering Azure, Always Encrypted still provides a reduced attack surface in this scenario because the data is encrypted in the database.

For more information on Azure SQL Database, see Getting Started with Azure SQL Database on the Petri IT Knowledgebase.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By