How to get started with Always Encrypted for Beginners Part 4: Change is Coming

A few weeks ago, I wrote Part 12 and 3 of this series, which was a beginner’s guide to Always Encrypted. In part 4, I am going to talk about the changes that are coming in vNext of SQL Server.

As I discussed in part 3 there are many roads blocks the can stop the implementation of Always Encrypted (AE). In the current available versions of SQL Server 2016 and 2017, along with Azure SQL Database, the cost of using AE was way too high for many companies. There are so many code changes needed to implement AE that moving to it is not cost effective for them. Microsoft recognizes this and has found a better way to handle things like aggregations, range comparison, LIKE predicates, ORDER BYs, and other search criteria with the introduction of Secure Enclaves.  For the client discussed in part 1-3 this will make all the difference.

Per MSDN “An enclave is a protected region of memory that acts as a trusted execution environment. An enclave appears as a black box to the containing process and to other processes running on the machine. There is no way to view the data or the code inside the enclave from the outside, even with a debugger.”

Now let’s translate that in English. It means that SQL Server will evaluate encrypted data in PLAIN TEXT while it is a protected region of memory. Just like non-encrypted data, we can now treat it just like anything else when querying it. This all takes place on the hardware. The process is a little complex to explain but in short SQL Server Engine processes its own enclave (a fancy word meaning a portion of territory) in memory where it loads encryption algorithms and required instructions to run the submitted SQL code. Then the SQL client sends the encryption keys, retrieved from a Windows Certificate or Azure Key vault, to the enclave over a secure channel to decrypt the data and process the queries in plain text. This is the only place that data is unencrypted. All result sets are sent back encrypted over that same secure channel and can only be viewed after decrypting the data again by using the keys.

This is a real game changer, in my opinion, that will really help spring board Always Encrypted to the most used encryption option in SQL Server. If you want to give this a try, it’s still in preview but you can sign up to try it out https://aka.ms/SQLEnclavesPreview.

For a more in-depth understanding of the hardware side of secure enclaves check out this paper https://www2.eecs.berkeley.edu/Pubs/TechRpts/2016/EECS-2016-219.pdf.

About Monica Rathbun

Monica Rathbun lives in Virginia, is a Microsoft MVP for Data Platform and Microsoft Certified Solutions Expert. She has nearly two decades of experience working with a wide variety of database platforms with a focus on SQL Server and the Microsoft Data Platform. She is a frequent speaker at IT industry conferences on topics including performance tuning and configuration management. She is the Leader of the Hampton Roads SQL Server User Group. She is passionate about SQL Server and the SQL Server community, doing anything she can to give back. Monica can always be found on Twitter (@sqlespresso) handing out helpful tips. You can find Monica blogging at sqlespresso.com 
Bookmark the permalink.

4 Comments

  1. Pingback: What’s Coming With Always Encrypted? – Curated SQL

  2. Thanks for this great article and sharing the about the new tech enclaves.

  3. Hi there. The links to previous parts are broken. Can you update them? Thanks.

Comments are closed