SQL Server End to End Encryption – Always Encrypt, SSL

As we know the solution for SQL Server Data at rest encryption is TDE (Transparent Data Encryption) but what if application need End to End data encryption for PII fields, the solution is Always Encrypt columns in SQL 2016 Ent. Ed., from support DBA perspective it’s more of setting it up and supporting it but major liability lies with application developer, they need to validate and implement solution in first place; certainly there are few caveats a developer need to be aware of for e.g. not all variables are supported, only couple of them, hence all such validations need to be performed prior to recommending solution.

From architecture perspective, with SQL 2016, we have capability of end to end data encryption within SQL server, I will post articles in future if implement in my sub system,

Some useful links on the same topic stating limitations, how to setup, minimum requirements, etc.



This link explains step by step process for DBA to set up always Encrypted :


Migrating Existing data: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/migrate-sensitive-data-protected-by-always-encrypted

Performance impact: https://sqlperformance.com/2015/08/sql-server-2016/perf-impact-always-encrypted

Hope this helps someone looking on this topic.


Possible options for Earlier SQL versions i.e. SQL 2012 and 2008 R2

With SQL 2008 R2 and 2012, instead of always encrypt, SSL option can be enabled which doesn’t do end to end data encrypt but atleast transfer data on secure channel which is still secured and can clear audit guidelines, it require certificates, follow below link to understand it better,

For SSL follow this link: https://support.microsoft.com/en-us/help/316898/how-to-enable-ssl-encryption-for-an-instance-of-sql-server-by-using-mi

Hope it helps!

Download PDF

About the Author: Nitin G

Indian born, trekker, biker, photographer, lover of monsoons. I've been working full time with SQL Server since year 2005 and blogs to post the content aquired during my research on new topics or fixing issues faced by me as a DBA while working in different kind of projects, hope some of my posts may helps others in SQLDBA community. Everything you read on my blog is my own personal opinion and any code is provided "AS-IS" with no warranties!

Leave a comment

Subscribe to this blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 265 other subscribers

Translate this blog!



February 2021
« Nov    

View Post by Categories

%d bloggers like this: