Always Encrypted In SQL Server workloads in Azure

What is SQL Server Always Encrypted ? An important option to be considered during restricting unauthorized access to data. Encrypt data so that even if somebody was able to reach to sensitive data it is not accessible as plain- text.Always Encrypted is encryption technique introduced in SQL Server 2016 and this feature can be enabled for individual database columns containing sensitive data.This feature will assist in being GDPR complained - May 2018 https://www.eugdpr.org/ This feature would provide encryption not only when data is at REST but also during TRANSIT.

Is Always Encrypted Applicable for Cloud Infrastructure As A Service ( IaaS) and Platform As A Service ( PaaS) workloads ? Yes. We could enable this feature in three scenarios

1. Client and Data On-Premises - Restricts SQL DBAs to decrypt the sensitive data from selected columns as the encryption keys could get stored in trusted key store at application side.
2. Client On-Premises with Data in Azure - Restricts Microsoft Cloud administrators to decrypt the sensitive data from selected columns as the encryption keys could get stored in trusted key store at on-prem.
3. Client and Data in Azure - Reduces the security attack surface area as encryption keys could be stored in safe location like Azure Key Vault

 Could we replace Transparent Data Encryption ( TDE) with Always Encrypted ?

• TDE is database-level encryption.Always Encrypted feature could be deployed for encrypting specific sensitive columns.
• TDE protects the data at rest. It encrypts the database file on disk and the backups. Always Encrypted will make sure data remains encrypted at REST and during the TRANSIT.
• TDE does not encrypt objects in the database and prevent them from being viewed. Anybody with access to the server will be able to query the database and read data.In case of Always Encrypted only the authorized application users who has access to the Encryption keys will be able to find the decrypted data, will be allowed to perform certain modifications, perform some documented actions
• TDE doesn't need any driver since it is database level. It works for all applications.Always Encrypted is driver specific (we see examples that support for .NET and Java). And not sure about when the application needs to change/upgrade the driver when the data encryption will work or not for existing data.
• TDE allows normal index usage. Always Encrypted feature does not allow the indexing of the encrypted column ( Especially in case of randomized encryption type gets selected )

SQL Always Encrypt will have any Impact on Performance ?

There are number of limitations which are perfectly documented in the MSDN article -https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-2017

Performance test was done in Azure SQL databases of BASIC and PREMIUM TIER databases in three ways

1. Disabling TDE [ By default in Azure SQL, TDE is enabled ]
2. Enable TDE
3. Enable TDE and SQL Always Encrypted feature

Here are the results - Noticed increase in the INSERT, SELECT duration and increase in the size of the Table.