| title | description | author | ms.author | ms.reviewer | ms.date | ms.service | ms.subservice | ms.topic | helpviewer_keywords | monikerRange | |
|---|---|---|---|---|---|---|---|---|---|---|---|
Configure Always Encrypted using SSMS |
Describes tasks for configuring and managing Always Encrypted databases with SQL Server Management Studio (SSMS). |
jaszymas |
jaszymas |
vanto |
10/31/2019 |
sql |
security |
conceptual |
|
=azuresqldb-current||>=sql-server-2016||>=sql-server-linux-2017||=azuresqldb-mi-current |
[!INCLUDE SQL Server Azure SQL Database Azure SQL Managed Instance]
This article describes tasks for configuring Always Encrypted and managing databases that use Always Encrypted with SQL Server Management Studio (SSMS).
When you use SSMS to configure Always Encrypted, SSMS handles both Always Encrypted keys and sensitive data, so both the keys and the data appear in plaintext inside the SSMS process. Therefore, it's important you run SSMS on a secure computer. If your database is hosted in SQL Server, make sure SSMS runs on a different computer than the computer hosting your SQL Server instance. As the primary goal of Always Encrypted is to ensure encrypted sensitive data is safe even if the database system gets compromised, executing a PowerShell script that processes keys or sensitive data on the SQL Server computer can reduce or defeat the benefits of the feature. For additional recommendations, see Security Considerations for Key Management.
SSMS doesn't support role separation between those who manage the database (DBAs) and those who manage cryptographic secrets and have access to plaintext data (Security Administrators and/or Application Administrators). If your organization enforces role separation, you should use PowerShell to configure Always Encrypted. For more information, see Overview of Key Management for Always Encrypted and Configure Always Encrypted using PowerShell.
- Provision Always Encrypted keys using SQL Server Management Studio
- Rotate Always Encrypted keys using SQL Server Management Studio
- Configure column encryption using Always Encrypted Wizard
- Configure column encryption using Always Encrypted with a DAC package
- Query columns using Always Encrypted with SQL Server Management Studio
- Export and import databases using Always Encrypted
- Back up and restore databases using Always Encrypted
- Migrate data to or from columns using Always Encrypted with SQL Server Import and Export Wizard