Early 2021 we introduced Always Encrypted with Intel SGX enclaves in Azure SQL Database which expands confidential computing capabilities of Always Encrypted by enabling in-place encryption and rich confidential queries, including pattern matching, range comparisons, and sorting. It leverages the Intel Software Guard Extensions (Intel SGX) technology available in the DC-series hardware configuration. Intel SGX enables computations on sensitive plaintext data inside a server-side hardware-based secure enclave that protects data confidentiality from rogue admins and malware.
While the initial version of DC-series helped our customers to use Always Encrypted with secure enclaves, the databases were limited to maximum 8 vCores.
To address the above vCore limitation, we are excited to announce the extension of the DC-series hardware configuration to support the new Intel SGX-enabled hardware, which offers up to 40 vCores.
This improvement will open Always Encrypted using secure enclaves to customer workloads that require stronger security protection of hardware enclaves (compared to Virtualization-based Security (VBS) enclaves) with CPU or memory-heavy workloads requirements.
Enabling Intel SGX enclaves
When creating a new database in the Azure Portal, go to Service and Compute tier section, select the DC-series and move the slider up to the number of vCores you want to configure (max 40 vCores). For modifying an existing database, go to the Compute + storage blade, select the DC-series and move the slider up to the number of vCores you want to configure (max 40 vCores).
Provisioning of DC-series databases is also possible using T-SQL commands, Az.Sql PowerShell cmdlets or Azure CLI.
We’d love to hear your feedback – please contact us at alwaysencryptedpg@microsoft.com
Microsoft