Define SQL Server Always Encrypted Keys

Use the SQL Server Always Encrypted Key Editor in a SQL Server physical model to configure encryption for individual database columns containing your sensitive data. Use this editor to specify the information about the encryption algorithm and cryptographic keys used to protect the data in the column. Always Encrypted uses two types of keys, column encryption keys and column master keys. A column encryption key is used to encrypt data in an encrypted column. A column master key is a key-protecting key that encrypts one or more column encryption keys.

To define an always encrypted key in SQL Server

  1. In the Model Explorer, right-click Always Encrypted Keys and click New.

    An instance of Always Encrypted Key is created.

  2. Right-click the instance and click Properties.

    The SQL Server Always Encrypted Key Editor opens.

  3. Select the always encrypted key in the Navigation Grid that you want to define and work with the following options:

    Note: Click New New icon in property editors to create a new object on the toolbar to create a new always encrypted key. Use the Enter filter text box to filter a very large list of always encrypted keys to quickly locate the one that you want to define.

    Name

    Displays the always encrypted key name. You can change the name in this field.

    Type

    Specifies the type of the key. Select a data type from the drop-down list.

    MASTER

    Indicates that the key is the protecting key that encrypts one or more column encryption keys

    ENCRYPTION

    Indicates that the key is a column encryption key

    Depending on the key type that you select, the options on the General tab differ.

  4. Click the General tab and work with the following options:
    Type: MASTER
    Key Store Provider

    Specifies the name of a key store provider, which is a client-side software component that encapsulates a key store containing the column master key.

    Customer Provider

    Enabled if you select CUSTOMER_PROVIDER in Key Store Provider. Specifies the custom key store provider.

    Key Path

    The path of the key in the column master key store, either a Current User or Local Machine, or ProviderName/KeyIdentifier pair. For more information, refer to SQL Server documentation.

    Type: ENCRYPTION

    Click New New icon in property editors to create a new object on the toolbar to create an instance of encrypted key options and work with the following options:

    Column Master Key

    Specifies the name of the custom column master key used for encrypting the column encryption key.

    Algorithm

    Specifies the name of the encryption algorithm used to encrypt the value of the column encryption key.

    Encrypted Value

    Specifies the encrypted CEK value BLOB.

  5. (Optional) Click the Comment tab and enter any comments that you want to associate with the object.
  6. (Optional) Click the Where Used tab to view where the object is used within the model.
  7. (Optional) Click the UDPtab to work with user-defined properties for the object.
  8. (Optional) Click the Notestab to view and edit user notes.
  9. (Optional) Click the Extended Notes tab to view or edit user notes.
  10. Click Close.

    The always encrypted key is defined and the SQL Server Always Encrypted Key Editor closes.

For more information, refer to SQL Server documentation.