We are thrilled to announce that Virtualization-based security (VBS) enclaves for Always Encrypted in Azure SQL Database are now generally available! This is a major milestone for enhancing the security and privacy of sensitive data in the cloud.
Support for virtualization-based security (VBS) enclaves in Azure SQL Database is a new addition to the Always Encrypted feature family. It brings the benefits of secure enclaves – rich confidential queries and in-place cryptographic operations - to all Azure SQL Database offerings, independent from the underlying hardware.
Until now, Always Encrypted with secure enclaves in Azure SQL Database relied on the Intel Software Guard Extensions (SGX) hardware enclaves. To enable Always Encrypted with secure enclaves for their databases, customers needed to select a special hardware configuration, called DC-series.
Unlike Intel SGX, VBS is a software-based solution with no hardware dependency. This allows us to bring the benefits of Always Encrypted with secure enclaves to all Azure SQL Database offerings, so that you can use the feature with a compute tier (provisioned or serverless), a purchasing model (vCore or DTU), a compute size (currently, up to 128 vCores), and a region that best matches your workload requirements. And, since VBS enclaves are available in existing hardware offerings, they come with no extra cost.
It is important to note that Intel SGX enclaves remain a recommended option for customers who seek the strongest level of protection, including the isolation from host OS administrators, which VBS enclaves do not provide.
Get started today!
Enabling a VBS enclave in your database is easy! We provide several options to enable a VBS enclave on your database, like Azure Portal, SQL Server Management Studio, Azure Data Studio, PowerShell, Azure CLI and REST API.
We have added a new section on the Security page of the Create Database and Create Elastic Pool experience in the Azure Portal. It allows you to enable a secure enclave on your database or elastic pool by just switching the toggle to ON.
Enabling an enclave for an existing Azure SQL Database or Elastic Pool is also possible. Just go to the Data Encryption blade of your Azure SQL Database and select the Always Encrypted tab.
SQL Server Management Studio
Download the latest version of the SQL Server Management Studio here!
Always Encrypted Wizard
We made the Always Encrypted wizard in the SQL Server Management Studio (SSMS) smart! If you start the wizard and it notices that there is no enclave enabled for the database, you will be prompted to enable a VBS enclave with a simple click, and then move forward with the encryption of your data already leveraging the enclave. Enabling the VBS enclave will allow you to use in-place encryption which is much faster and more reliable than client-side encryption without using an enclave.
Just like in the Azure Portal, we have added a new section on the Configure SLO page of the Create Database and Database Properties experience in SSMS. It allows you to enable a secure enclave on your database by just switching the toggle to ON.
The new offer, Always Encrypted with VBS enclaves, is available now and you can start using it today. To learn more about this feature, see: