| title | description | author | ms.author | ms.date | ms.service | ms.subservice | ms.topic | monikerRange |
|---|---|---|---|---|---|---|---|---|
Configure the enclave type for Always Encrypted (server configuration option) |
Find out how to enable or disable a secure enclave for Always Encrypted. Learn how to confirm whether an enclave has been correctly initialized. |
jaszymas |
jaszymas |
01/15/2021 |
sql |
configuration |
how-to |
>= sql-server-ver15 |
[!INCLUDE sqlserver2019-windows-only]
This article describes how to enable or disable a secure enclave for Always Encrypted with secure enclaves. For more information, see Always Encrypted with secure enclaves and Configure the secure enclave in SQL Server.
The column encryption enclave type Server Configuration Option controls the type of a secure enclave used for Always Encrypted. The option can be set to one of the following values:
| Value | Description |
|---|---|
| 0 | No secure enclave. The [!INCLUDEssDE] will not initialize the secure enclave for Always Encrypted. As a result, the functionality of Always Encrypted with secure enclaves will not be available. |
| 1 | Virtualization based security (VBS). The [!INCLUDEssDE] will attempt to initialize a virtualization-based security (VBS) enclave. |
Important
Changes to the column encryption enclave type do not take effect until you restart the [!INCLUDEssNoVersion] instance.
You can check the configured enclave type value and the enclave type value currently in effect by using the sys.configurations (Transact-SQL) view.
To confirm an enclave of the type (greater than 0) that is currently in effect has been correctly initialized after the last restart of [!INCLUDE ssnoversion-md], check the sys.dm_column_encryption_enclave (Transact-SQL) view:
- If the view contains exactly one row, the enclave is correctly initialized.
- If the view contains no rows, check the SQL Server error log for enclave initialization errors - see View the SQL Server error log (SQL Server Management Studio).
For step-by-step instructions on how to configure a VBS enclave, see Step 2: Enable Always Encrypted with secure enclaves in SQL Server.
The following example enables the secure enclave and sets the enclave type to VBS:
sp_configure 'column encryption enclave type', 1;
GO
RECONFIGURE;
GO The following example disables the secure enclave:
sp_configure 'column encryption enclave type', 0;
GO
RECONFIGURE;
GO The following query retrieves the configured enclave type and the enclave type that is currently in effect:
USE [master];
GO
SELECT
[value]
, CASE [value] WHEN 0 THEN 'No enclave' WHEN 1 THEN 'VBS' ELSE 'Other' END AS [value_description]
, [value_in_use]
, CASE [value_in_use] WHEN 0 THEN 'No enclave' WHEN 1 THEN 'VBS' ELSE 'Other' END AS [value_in_use_description]
FROM sys.configurations
WHERE [name] = 'column encryption enclave type'; Manage keys for Always Encrypted with secure enclaves
Server Configuration Options (SQL Server)
sp_configure (Transact-SQL)
RECONFIGURE (Transact-SQL)
sys.configurations (Transact-SQL)
sys.dm_column_encryption_enclave (Transact-SQL)