Public Preview of Always Encrypted in Azure SQL Database

Always Encrypted is now available for public preview in all service tiers of Azure SQL Database V12. You can use Always Encrypted to ensure sensitive data, such as credit card numbers, is encrypted and decrypted inside client applications or application servers, using keys that are never revealed to Azure SQL Database. As a result, even… Read more

SSMS Encryption Wizard – Enabling Always Encrypted in a Few Easy Steps

As we explained in the previous articles, Always Encrypted is a client-side encryption technology – the database system (SQL Server or Azure SQL Database) does not have access to plaintext encryption keys and cannot encrypt or decrypt data protected with Always Encrypted. Consequently, enabling Always Encrypted in a database requires the use of client-side tools to… Read more

Oil & Gas Security Demo with SQL Server 2016

At our security session today at PASS Summit 2015, we were extremely fortunate to be joined by Jamey Johnston, a Data Scientist at a large independent Oil & Gas company, who shared a comprehensive demo using Row-Level Security, Dynamic Data Masking, and Always Encrypted to control access to oil well production data. Jamey’s demo showcases… Read more

New Enhancements in Always Encrypted

The new version of SQL Server Management Studio (October 2015 Preview – build 13.0.700.242) and .NET Framework 4.6.1 RC bring several exciting enhancements to Always Encrypted. In the next few articles, we will cover these enhancements in details. For now, we will provide a brief summary of what is new. Note: If you used Always… Read more

Creating Custom Key Store Providers for Always Encrypted (Azure Key Vault Example)

Updates:  The syntax for column master keys have been updated. Please refer to for details on what is new in Always Encrypted. We have updated the schema for our sample table to follow best practices. Big thanks to Denny Cherry for his feedback and help on greatly improving our sample schema. The Azure Key… Read more

Using Always Encrypted with Entity Framework 6

Entity Framework 6 was not designed from the start to work with the Always Encrypted feature of SQL Server 2016. However, a lot of effort has gone into making the feature work as transparently as possible with existing code. This article explores the limitations you will need to work around and the potential issues you… Read more

Always Encrypted Key rotation – Column master Key rotation.

Update: The syntax for column master keys have been updated. Please refer to for details on what is new in Always Encrypted.  Many standards that are used to regulate data security define key rotation requirements in order to meet compliance. In many cases, there are defined regulations that distinguish between the key-encrypting keys (KEK)… Read more

Encrypting Existing Data with Always Encrypted

As you have learned from our previous articles, Always Encrypted is a client-side encryption technology – sensitive data is transparently encrypted and decrypted within a client application by a client driver. SQL Server does not have access to plaintext encryption keys and cannot encrypt or decrypt encrypted data. An important implication of the above is… Read more

Always Encrypted Key Metadata

Note: this article was modified on Nov 1st, 2015 to reflect syntax changes in T-SQL DDL and metadata views, introduced in SQL Server 2016 CTP3. Please, refer to SQL Server 2016 Release Notes for details. In the previous articles on Always Encrypted, we used two sample applications (a console app and an ASP .NET web app)… Read more

Developing Web Apps using Always Encrypted

In our first post on the Always Encrypted technology, Getting Started with Always Encrypted, we showed how to develop a simple console app using Always Encrypted to protect sensitive information. In this article, we will demonstrate the process of developing a web application using Always Encrypted with ASP .NET and Entity Framework. We will follow… Read more