SQL Features

6 Things You Should Know About SQL Server 2016 Always On Encryption

Always_Encrypted-graphic-e1432801397251The first public preview of SQL Server 2016 is now available for download. It is the biggest leap forward in Microsoft’s data platform history with real-time operational analytics, rich visualizations on mobile devices, built-in advanced analytics, new advanced security technology, and new hybrid cloud scenarios. SQL Server 2016 release promises many new features including a “Stretch” feature which allows you to automatically archive older data to the cloud, enhanced in-memory OLTP functionality, and several new enhancements in security.  One of the most interesting new security features is Always On Encryption.  Here are 6 things you should know about this feature.

  1. Data is encrypted at all times
    Okay, so this might seem obvious but lets look at what this really means.  In the diagram above you see that the data for one or more columns of a table is stored in an encrypted state.  When SQL Server acts on this data locally it acts only on the encrypted version.  It never decrypts it and so it’s encrypted in memory as well as on the wire as it transits the network (or Internet) on the way to the client.  SQL Server treats the encrypted data as if it were the raw field.  Only at the point where the data reaches the client is it decrypted for use in your applications.  This makes the encrypted data nearly impervious to man-in-the-middle attacks or file based decryption on the server.