Always Encrypted Wizard now supports secure enclaves and in-place encryption
Published May 24 2023 02:50 PM 2,713 Views

The Always Encrypted wizard in SQL Server Management Studio (SSMS) is a popular tool that has helped many customers to start their Always Encrypted journey. The wizard allows you to easily configure cryptographic keys, encrypt your data in selected columns, or to rotate your column encryption keys.

We're very excited to announce the major enhancement to the wizard in SSMS 19.1, which allows you take advantage of secure enclaves to run cryptographic operations in-place.


Until now, the wizard worked by moving your data out of the database to perform cryptographic operations within the SSMS process, regardless if your database was configured with a secure enclave or not.

In SSMS 19.1, the wizard can automatically detect an enclave in your database and use it to securely perform cryptographic operations locally, within the database engine, which eliminates the expense of transmitting the data over the network. In-place encryption inside an enclave substantially reduces the time you need to encrypt your data or rotate your column encryption keys. It also improves the reliability of such operations, making them less prone to network errors. Combining Always Encrypted with VBS enclaves and these wizard enhancements makes it really easy to setup.

In this blog post I’m going to give you an overview of the new capabilities of the Always Encrypted Wizard in SSMS.


What has changed?

Here is how you can easily use the wizard to encrypt selected columns in place using the enclave.


Column Selection Page

On this page, you select columns you want to encrypt and configure the target encryption type and column encryption keys for those columns. For the wizard to encrypt your columns in-place, you need to use enclave-enabled keys. If you’re using existing keys, make sure you select enclave-enabled keys – annotated with (enclave-enabled). Alternatively, pick a key containing (New) in its display name, and the wizard will generate it for you.




Master Key Configuration Page

If you’ve picked a new column encryption, you now need to configure a new column master key for it. You can store the new key in Windows Certificate Store or in Azure Key Vault and have the wizard to create just a metadata object for the key in the database, or you can choose to generate both the key and the metadata object describing the key in the database. For in-place encryption to be possible, make sure you select Allow enclave computations for the new column master key. Selecting this checkbox is allowed only if your database is configured with a secure enclave.




In-Place Encryption Settings Page

If you have configured a secure enclave in your database and you’re using enclave-enabled keys, this page allows you to specify the enclave attestation parameters required for in-place encryption. For example, when you're using VBS enclaves, simply set the attestation protocol to None.




Summary Page

On the summary page you can now see “Enclave computations: allowed” or “Enclave computations: disallowed”, depending on whether “Allow enclave computations” was selected for the new Column Master Key. Secondly, the wizard informs you which cryptographic operations are going to be performed “In-place using a secure enclave” or “Client-side encryption”.





Using Always Encrypted with secure enclaves becomes now easy with this wizard. It automatically detects an enclave in your database, can generate enclave-enabled keys for you and securely performs cryptographic operations locally by using the enclave.


Next steps

Configure column encryption using Always Encrypted Wizard - SQL Server | Microsoft Learn

Tutorial: Getting started with Always Encrypted - SQL Server | Microsoft Learn


We’d love to hear your feedback – please contact us at




Version history
Last update:
‎Nov 09 2023 12:12 AM
Updated by: