| title | description | author | ms.author | ms.reviewer | ms.date | ms.service | ms.subservice | ms.topic | dev_langs | ms.custom | monikerRange | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Develop applications using Always Encrypted with secure enclaves |
Develop applications using Always Encrypted with secure enclaves |
Pietervanhove |
pivanho |
vanto |
11/14/2023 |
sql |
security |
conceptual |
|
ignite-2023 |
=azuresqldb-current||>=sql-server-2016||>=sql-server-linux-2017||=azuresqldb-mi-current |
[!INCLUDE sqlserver2019-windows-only-asdb]
Always Encrypted with secure enclaves extends Always Encrypted to enable richer functionality of application queries on encrypted sensitive database columns. It leverages secure enclave technologies to allow the query executor in [!INCLUDEssde-md] to delegate computations on encrypted columns to a secure enclave inside the [!INCLUDEssde-md] process.
Your environment needs to meet the following requirements to support Always Encrypted with secure enclaves.
- Your [!INCLUDE ssnoversion-md] instance or your database server in [!INCLUDE ssazure-sqldb] must be correctly configured to support enclaves and attestation, if applicable/required. For more information, see Set up the secure enclave and attestation.
- Make sure your application:
-
Uses a client driver version supports Always Encrypted with secure enclaves.
-
Enables Always Encrypted when connecting to your database.
-
Sets an attestation protocol, which determines whether the client driver must attest the enclave before submitting enclave queries, and if so, which attestation service it should use. Most recent driver versions support the following attestation protocols:
- Microsoft Azure Attestation - enforces attestation using Microsoft Azure Attestation.
- Host Guardian Service - enforces attestation using Host Guardian Service.
- None - allows using enclaves without attestation.
The below table specifies attestation protocols valid for particular SQL products and enclave technologies:
Product Enclave technology Supported attestation protocols [!INCLUDEsql-server-2019] and later VBS enclaves Host Guardian Service, None [!INCLUDE ssazure-sqldb] SGX enclaves (in DC-series databases) Microsoft Azure Attestation [!INCLUDE ssazure-sqldb] VBS enclaves None -
Sets an attestation URL that is valid for your environment, if you're using attestation.
- If you're using [!INCLUDE ssnoversion-md] and Host Guardian Service (HGS), see Determine and share the HGS attestation URL.
- If you're using [!INCLUDE ssazure-sqldb] with Intel SGX enclaves and Microsoft Azure Attestation, see Determine the attestation URL for your attestation policy.
-
To develop applications using Always Encrypted with secure enclaves, you need a SQL client driver version that supports secure enclaves. The client driver plays the following key role:
- Before submitting a query that uses a secure enclave to [!INCLUDE ssnoversion-md] or [!INCLUDE ssazure-sqldb] for execution, the driver initiates enclave attestation (if it's configured) to verify the secure enclave is trustworthy and can be safely used to process sensitive data. For more information about attestation, see Secure Enclave Attestation.
- The client driver establishes a secure session with the enclave by negotiating a shared secret.
- The driver uses the shared secret to encrypt the column encryption keys the enclave will need to process the query, and sends the keys to [!INCLUDE ssnoversion-md], which forwards them to the secure enclave that decrypts the keys.
- Finally, the driver submits the query for execution, which triggers computations inside the secure enclave.
The following client drivers support Always Encrypted with secure enclaves:
-
Microsoft .NET Data Provider for SQL Server in .NET Framework 4.6 or higher and .NET Core 2.1 or higher. If you want to use VBS enclaves without attestation, version 4.1 or later is required, which is compatible with .NET Framework 4.6.1 or higher and .NET Core 3.1.
- For more information, see Using Always Encrypted with the Microsoft .NET Data Provider for SQL Server.
- For a step-by-step tutorial, see Tutorial: Develop a .NET application using Always Encrypted with secure enclaves.
- Also, see Example demonstrating use of Azure Key Vault provider and Always Encrypted with secure enclaves.
-
Microsoft ODBC Driver for SQL Server, version 17.4 or higher. If you want to use VBS enclaves without attestation, version 18.1 or higher is required.
- For more information, see Using Always Encrypted with the ODBC Driver.
- For information on how to enable enclave computations for a database connection using ODBC, see the Enabling Always Encrypted with Secure Enclaves section.
-
Microsoft JDBC Driver for SQL Server, version 8.2 or higher. If you want to use VBS enclaves without attestation, version 12.2 or higher is required.
- For more information, see Using Always Encrypted with secure enclaves with the JDBC driver
-
.NET Framework Data Provider for SQL Server in .NET Framework 4.7.2 or higher.
- For more information, see Using Always Encrypted with the .NET Framework Data Provider for SQL Server.
- For a step-by-step tutorial, see Tutorial: Develop a .NET Framework application using Always Encrypted with secure enclaves
[!NOTE] Using the .NET Framework Data Provider for SQL Server (System.Data.SqlClient) isn't recommended for new development. For more information, see System.Data.SqlClient.