Configure column encryption in-place using Always Encrypted with secure enclaves

THIS TOPIC APPLIES TO:yesSQL Server 2019 and later (Windows only) noAzure SQL DatabasenoAzure Synapse Analytics (SQL DW) noParallel Data Warehouse

Always Encrypted with secure enclaves supports cryptographic operations on database columns in-place - inside a secure enclave in SQL Server. In-place encryption eliminates the need to move the data for such operations outside of the database, making the cryptographic operations faster and more reliable.


Despite the performance benefits of in-place encryption, cryptographic operations on large tables can take a long time and consume substantial resources, potentially impacting and degrading performance and availability of your applications.

In-place encryption makes it also possible to trigger cryptographic operations using the ALTER TABLE ALTER COLUMN (Transact-SQL) statement, which is not possible without an enclave.


The supported cryptographic operations and the requirements for column encryption key(s), used for the operations, are:

  • Encrypting a plaintext column. The column encryption key used to encrypt the column must be enclave-enabled.
  • Re-encrypting an encrypted column using a new encryption type or/and a new column encryption key. Both the current column encryption key and the new column encryption key (if different than the current key) must be enclave-enabled.
  • Decrypting an encrypted column - the column encryption key, protecting the column, must be enclave-enabled.

See Manage keys for Always Encrypted with secure enclaves for information how to ensure your column encryption keys are enclave-enabled.

In-place encryption also requires a SQL Server instance that has a correctly initialized secure enclave. See Configure the enclave type for Always Encrypted Server Configuration Option.

A user or an application triggering cryptographic operations must have permissions to make schema changes on the table containing the impacted columns and to access column master keys involved in the operations, and relevant key metadata in the database.

You can only trigger in-place encryption using ALTER TABLE ALTER COLUMN (Transact-SQL) from SQL Server Management Studio or your custom application. See Configure column encryption in-place with Transact-SQL.


Currently, the Always Encrypted wizard and the Set-SqlColumnEncryption cmdlet do not support in-place encryption, and always download the data for cryptographic operations, even if your configuration meets the above requirements.

Next Steps