This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 8%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWJ%3C/text%3E%3C/svg%3E)
Your documentation indicates the following:
"Encryption and decryption take place in the client driver, so that the process is transparent to client applications."
Your question is worded as follows:
"If data is encrypted using Always Encrypted, when will the data be decrypted?"
The accepted answer is phrased:
"In the client application"
To me, the definitions of application and driver are quite different. Please correct the document or question and please provide additional clarity how this works.
This question is related to the following Learning Module
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 76%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Thank you for contacting us from the Microsoft Q&A forum.; we appreciate your questions about the SQL Server Always Encrypted feature as well as a good eye toward how this works.
You are correct in noting that the encryption and decryption processes occur in the client driver, which is an integral part of the client application. The documentation aims to convey that the encryption and decryption processes are handled transparently by the client driver, allowing client applications to interact with the encrypted data without needing to manage the encryption details directly.
To clarify further, when data is encrypted using Always Encrypted, it is indeed the client application (through the client driver) that performs the decryption when the data is retrieved. This means that the application can work with the data as if it were unencrypted, while the actual encryption and decryption processes are managed by the driver.
Thank you very much for letting us know how best to phrase some of the documentation. We will consider your input for future updates to make it clearer. If you have any more questions or need further assistance, please do not hesitate to contact us.
If you have found the answer provided to be helpful, please click on the "Upvote and Accept Answer" button so that it is useful for other members in the Microsoft Q&A community.
Thank you for your quick response!
I do have follow up questions.
Is it necessary then to add properties or other configuration settings to specify key or keys that are used by the driver to encrypt and decrypt the values? I can imagine how the settings may be part of the connection string. Or is all of the encryption / decryption completely transparent to the developers and DBAs?
Thank you again for your time and help!
Jeff
Hi Wisneski, Jeffrey,
Thanks for follow-up questions on Always Encrypted in SQL Server! Let me address a couple of things in there:
In summary, encryption and decryption are seamless for applications, but key configuration remains essential. If you have further questions, feel free to ask.
Please don't forget to "Accept answer" and close this thread.
Just checking in to see if you had a chance to see my previous answer. Please let me know if it was helpful and don't hesitate to reach out to us if you face any issue.
Thank you.