Configure and use Always Encrypted with secure enclaves
Applies to: 
SQL Server 2019 (15.x) and later - Windows only
Azure SQL Database
Always Encrypted with secure enclaves extends the existing Always Encrypted feature to enable richer functionality on sensitive data while keeping the data confidential. This article lists common tasks for configuring and using the feature.
For tutorials that show you how to quickly get started with Always Encrypted with secure enclaves, see:
Set up the secure enclave and attestation
Before you can use Always Encrypted with secure enclaves, you need to configure your environment to ensure the secure enclave is available for the database. You might also need to set up enclave attestation, if applicable.
The process for setting up your environment depends on whether you're using SQL Server 2019 (15.x) and later or Azure SQL Database.
Set up the secure enclave and attestation in SQL Server
To set up Always Encrypted with secure enclaves without attestation, see:
- Plan for Always Encrypted with secure enclaves in SQL Server without attestation
- Configure the secure enclave in SQL Server
To set up Always Encrypted with secure enclaves and attestation, see:
- Plan for Host Guardian Service attestation
- Deploy the Host Guardian Service for SQL Server
- Register computer with the Host Guardian Service
- Configure the secure enclave in SQL Server
Set up the secure enclave and attestation in Azure SQL Database
For details, see the following articles:
- Plan for secure enclaves in Azure SQL Database
- Enable Always Encrypted with secure enclaves for your Azure SQL Database
- Configure Azure Attestation for your Azure SQL Database logical server
Important
VBS enclaves in Azure SQL Database do not support attestation. Configuring Azure Attestation only applies to Intel SGX enclaves.
Manage keys for Always Encrypted with secure enclaves
- Manage keys for Always Encrypted with secure enclaves - overview
- Provision enclave-enabled keys
- Rotate enclave-enabled keys
Configure columns with Always Encrypted with secure enclaves
- Configure column encryption in-place using Always Encrypted with secure enclaves - overview
- Configure column encryption in-place with Transact-SQL
- Configure column encryption in-place with PowerShell
- Configure column encryption in-place with DAC Package
- Enable Always Encrypted with secure enclaves for existing encrypted columns
Run Transact-SQL statements using secure enclaves
- Run Transact-SQL statements using secure enclaves
- Troubleshoot common issues for Always Encrypted with secure enclaves
Create and use indexes on enclave-enabled columns
Develop applications using Always Encrypted with secure enclaves
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for