Always Encrypted with secure enclaves in Azure SQL Database preview

This article is contributed. See the original author and article here.

Moving to the cloud has clear economic benefits: cost savings, productivity gains, scalability, and agility, to name a few. However, many organizations keep sensitive data out of the public cloud due to regulations or to remain in full control, and thus they are missing out on those benefits.

Keep control of your data

Always Encrypted allows you to store your most sensitive data in the public cloud without giving up the control. With Always Encrypted, your data gets transparently encrypted and decrypted outside of the database (inside the client application) using keys that are never revealed to the database system. As a result, administrators, including cloud operators, cannot see the data or the keys in plaintext. For example, a DBA can query a table holding sensitive data or an OS admin can read the memory of the database system process, but all they can access is encrypted data, not plaintext.

Confidential computing

Client-side encryption typically makes it impossible for the database system to perform any computations on encrypted data, which makes it extremely costly to deploy. To work around it, you need to refactor your apps to perform computations outside of the database, which is often impractical.

Always Encrypted addresses this challenge with confidential computing – the ability to process queries on encrypted data without exposing the data in the clear to admins.

Secure enclaves open new possibilities
Until now, Always Encrypted has supported confidential computing with deterministic encryption, which enables simple point lookup searches and equality joins on encrypted data within the database system.

Now in preview in Azure SQL Database, Always Encrypted with secure enclaves takes confidential computing to the next level. A secure enclave is a protected region of memory within the SQL database engine process. It acts as a trusted execution environment for processing sensitive data inside the database engine. A secure enclave appears as an opaque box for the rest of the database engine process and other processes on the hosting machine. There is no way to view any data or code inside the enclave from the outside, even with a debugger. Therefore, during query processing, the secure enclave can safely decrypt sensitive data and perform rich computations on the plaintext.

Always Encrypted with secure enclaves provides two key benefits:

Rich confidential queries, including pattern matching (LIKE) and range comparisons. These new capabilities make it possible to protect a much broader set of sensitive information (names, address, phone numbers, sensitive numerical data) without painful compromises.

In-place encryption – allowing cryptographic operations inside the secure enclave, to eliminate the need to move the data outside of the database for initial encryption or key rotation.

In Azure SQL Database, Always Encrypted uses Intel Software Guard Extensions (Intel SGX) enclaves – a hardware technology supported in databases that use the new DC-series hardware generation, now also in preview. Selecting DC-series for your database places it on the hardware equipped with Intel SGX, which is a prerequisite for enabling Always Encrypted with secure enclaves.

With this release, Azure SQL Database joins the growing family of Azure confidential computing services, including confidential virtual machines, confidential containers, confidential machine learning, and confidential IoT edge devices.

Customers who are already using secure enclaves
Here are some examples of customers who are already using Always Encrypted with secure enclaves in Azure SQL Database.

Royal Bank of Canada

“Our project focuses on working with different partners to bring more value to respective customers by exchanging encrypted data wherein no person, process or system can see each other’s data. Always Encrypted with secure enclaves in Azure SQL Database provides us the framework for managing encrypted data and running queries on top of them, while minimizing work on our end. By leveraging Always Encrypted that helps ensure that RBC and Microsoft don’t have access to customer data, we can create a new platform to provide services that we couldn’t offer before.” — Eddy Ortiz, VP of Solution Acceleration and Innovation, Royal Bank of Canada

Financial Fabric

“Always Encrypted with secure enclaves enables the DataHub service from Financial Fabric to meet the strictest of Financial Services Industry data security requirements where PII data remains encrypted throughout its life cycle. Financial calculations on sensitive data are computed completely within the secure “walls” of the enclave giving banks, hedge funds and investors control so that their unencrypted PII data and related computations stay within the secure enclave.” — Paul A. Stirpe Ph.D., Chief Technology Officer, Financial Fabric

Next steps
For more information and to get started with Always Encrypted with secure enclaves, see: