VBS enclaves for Always Encrypted in Azure SQL Database – preview
Support for virtualization-based security (VBS) enclaves in Azure SQL Database is a new addition to the Always Encrypted feature family. It brings the benefits of secure enclaves – rich confidential queries and in-place cryptographic operations - to all Azure SQL Database offerings, independent from the underlying hardware.
Always Encrypted feature family
Always Encrypted is a family of industry-leading data protection features that provide a separation between those who own the data and can view it, and those who manage the data but should have no access - on-premises database administrators, cloud database operators, or other high-privileged but unauthorized users. It achieves this by making plaintext data visible only inside the customer’s trust zone – trusted client applications and a server-side secure enclave - a protected region of memory available for query processing by the database engine. A secure enclave is a black box to the outside world, making sensitive data, processed inside it, not accessible to OS admins or DBAs.
Why secure enclave
Secure enclaves make Always Encrypted available for a wider set of use cases for two important reasons:
- Enabling cryptographic operations, such as encrypting a column containing sensitive data or re-encrypting to rotate a column (data) encryption key, in-place, to avoid the expense of moving the data outside of the database. With in-place encryption, setting up Always Encrypted becomes much easier and faster, and it is the only practical solution for large tables.
- Supporting more computations, including pattern matching, equality comparisons, and sorting. Without secure enclaves, the only computation supported on encrypted columns is equality comparison. For any other operations, you need to refactor your apps to retrieve the data and process it on the client-side – again, it’s a viable option only for small data sets.
VBS enclaves provide flexibility
Until now, Always Encrypted with secure enclaves in Azure SQL Database relied on the Intel Software Guard Extensions (SGX) hardware enclaves. To enable Always Encrypted with secure enclaves for their databases, customers needed to select a special hardware configuration, called DC-series.
Unlike Intel SGX, VBS is a software-based solution with no hardware dependency. This allows us to bring the benefits of Always Encrypted with secure enclaves to all Azure SQL Database offerings, so that you can use the feature with a compute tier (provisioned or serverless), a purchasing model (vCore or DTU), a compute size (currently, up to 128 vCores), and a region that best matches your workload requirements. And, since VBS enclaves are available in existing hardware offerings, they come with no extra cost.
It is important to note that Intel SGX enclaves remain a recommended option for customers who seek the strongest level of protection, including the isolation from host OS administrators, which VBS enclaves do not provide.
While support for VBS enclaves is new in Azure SQL Database, VBS is a well-established technology. Always Encrypted with secure enclaves in SQL Server has levered VBS enclaves since the 2019 release. VBS is a foundation for popular Windows security features, including Windows Hello and Microsoft Defender Credential Guard.
Morgan Stanley, who has partnered with our team throughout the development process of VBS, has this to say about the introduction of VBS technology to Azure SQL Database:
By introducing virtualization-based security (VBS) enclaves support in Azure SQL Database, Microsoft has enabled our applications to meet Morgan Stanley’s comprehensive data encryption requirements. VBS enables additional query capabilities on data that is encrypted with the Always Encrypted feature. With this addition to the Always Encrypted family, we now have the flexibility to protect our sensitive data and match the performance needs of our workloads. Yunchi Nam, Global Head of Enterprise Computing, Managing Director, Distinguished Engineer |
How to participate in preview
Enabling a VBS enclave in your database is easy – you can do that using Azure PowerShell (see an example below) or Azure CLI.
Set-AzSqlDatabase `
-ResourceGroupName $resourceGroupName `
-ServerName $serverName `
-DatabaseName $databaseName `
-PreferredEnclaveType VBS
Once your database has access to a VBS enclave, you can start using it for in-place encryption or to run rich confidential queries. See Tutorial: Getting started with Always Encrypted with secure enclaves for step-by-step instructions.
We’d love to hear your feedback – please contact us at alwaysencryptedpg@microsoft.com