This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 39%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJW%3C/text%3E%3C/svg%3E)
We are using Azure SQL on cloud with the Enclave-enabled.
A table created by:
CREATE TABLE [dbo].[both] (
[id] INT IDENTITY(1,1) PRIMARY KEY,
[ran] [varchar](100) COLLATE Latin1_General_BIN2 ENCRYPTED WITH (COLUMN_ENCRYPTION_KEY = [CEK1], ENCRYPTION_TYPE = RANDOMIZED, ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256') NULL,
[determ] VARCHAR(100) COLLATE Latin1_General_BIN2 ENCRYPTED WITH (COLUMN_ENCRYPTION_KEY = [CEK1], ENCRYPTION_TYPE = Deterministic, ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256') NULL
);
declare @ran varchar(10) = 'rr';
declare @det varchar(10) = 'dd';
insert into both (ran, determ) values (@ran, @det);
select * from dbo.both where determ like @det;
error:
Msg 33277, Level 16, State 2, Line 17
Encryption scheme mismatch for columns/variables 'determ', '@det'. The encryption scheme for the columns/variables is (encryption_type = 'DETERMINISTIC', encryption_algorithm_name = 'AEAD_AES_256_CBC_HMAC_SHA_256', column_encryption_key_name = 'CEK1', column_encryption_key_database_name = 'en2') and the expression near line '7' expects it to be RANDOMIZED, a BIN2 collation for string data types, and an enclave-enabled column encryption key, or PLAINTEXT.
Msg 8180, Level 16, State 1, Procedure sp_describe_parameter_encryption, Line 1 [Batch Start Line 10]
Statement(s) could not be prepared.
An error occurred while executing batch. Error message is: Internal error. Metadata for parameter '@p4da10ebebef5489c91243a7db8ba54f6' in statement or procedure 'DECLARE @ran AS VARCHAR (10) = @p4da10ebebef5489c91243a7db8ba54f6;
DECLARE @det AS VARCHAR (10) = @p275ee05cd3c24dfa9f04e1aee906933d;
SELECT *
FROM dbo.both
WHERE determ LIKE @det;
' is missing in resultset returned by sp_describe_parameter_encryption.
is there way to let Deterministic work for like and = with and without enclaved?
I also had severe problems to get your example to work, and it took me quite a while to figure out why. However, looking at the your error message, it does not match the message I got. So you may be running into something else.
Eventually, this ran successfully for me:
DROP TABLE IF EXISTS both
CREATE TABLE dbo.both (
id int IDENTITY(1,1) PRIMARY KEY,
random varchar(100) COLLATE DATABASE_DEFAULT
ENCRYPTED WITH (COLUMN_ENCRYPTION_KEY = CEK_Auto1,
ENCRYPTION_TYPE = RANDOMIZED,
ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256') NULL,
determ varchar(100) COLLATE Latin1_General_100_BIN2_UTF8
ENCRYPTED WITH (COLUMN_ENCRYPTION_KEY = CEK_Auto1,
ENCRYPTION_TYPE = Deterministic,
ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256') NULL
);
go
declare @random varchar(100) = 'rr';
declare @determ varchar(100) = 'dd';
insert into both (random, determ) values (@random, @determ);
The key was that I have a UTF8 collation as my database collation, and with varchar, the code page of the database collation must match the code page of the collation of the encrypted column. For nvarchar this is not an issue. (And, unless you are using a UTF-8 collation, you should use nvarchar for string data in most cases.)
But since you get a different error message, this may not apply to you. But try nvarchar anyway and check your database collation.
Also, make sure that you have checked this option in SSMS:
Then again, as we already have discussed there is little reason to use deterministic encryption when you have enclaves, so go for randomised.
Hi Erland,
I tried the nvar, same error.
I did:
alter table both add nvar nvarchar (100) COLLATE Latin1_General_BIN2 ENCRYPTED WITH (COLUMN_ENCRYPTION_KEY = [CEK1], ENCRYPTION_TYPE = Deterministic, ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256') NULL;
declare @nvar nvarchar(100) = 'nnn';
select * from both where nvar like @nvar;
The SSMS error:
Msg 33277, Level 16, State 2, Line 27
Encryption scheme mismatch for columns/variables 'nvar', '@nvar'. The encryption scheme for the columns/variables is (encryption_type = 'DETERMINISTIC', encryption_algorithm_name = 'AEAD_AES_256_CBC_HMAC_SHA_256', column_encryption_key_name = 'CEK1', column_encryption_key_database_name = 'en2') and the expression near line '5' expects it to be RANDOMIZED, a BIN2 collation for string data types, and an enclave-enabled column encryption key, or PLAINTEXT.
An error occurred while executing batch. Error message is: Internal error. Metadata for parameter '@pdb239b51084e491eb1410d6302789d67' in statement or procedure 'DECLARE @nvar AS NVARCHAR (100) = @pdb239b51084e491eb1410d6302789d67;
SELECT *
FROM both
WHERE nvar LIKE @nvar;
' is missing in resultset returned by sp_describe_parameter_encryption.
Then I use JAVA JDBC code below, got error - which indicated "expects it to be RANDOMIZED" :
com.microsoft.sqlserver.jdbc.SQLServerException: Encryption scheme mismatch for columns/variables 'nvar', '@P0'. The encryption scheme for the columns/variables is (encryption_type = 'DETERMINISTIC', encryption_algorithm_name = 'AEAD_AES_256_CBC_HMAC_SHA_256', column_encryption_key_name = 'CEK1', column_encryption_key_database_name = 'en2') and the expression near line '1' expects it to be RANDOMIZED, a BIN2 collation for string data types, and an enclave-enabled column encryption key, or PLAINTEXT.
at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDatabaseError(SQLServerException.java:276)
at com.microsoft.sqlserver.jdbc.SQLServerStatement.getNextResult(SQLServerStatement.java:1781)
at com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement.doExecutePreparedStatement(SQLServerPreparedStatement.java:688)
at com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement$PrepStmtExecCmd.doExecute(SQLServerPreparedStatement.java:607)
...
SQLServerPreparedStatement pstmt = (SQLServerPreparedStatement) conn.prepareStatement("SELECT * FROM both WHERE nvar like ?");
pstmt.setNString(1, "%", true);
ResultSet rs = pstmt.executeQuery();
while (rs.next()) {
System.out.println("value: " + rs.getNString("nvar") );
}
I'm afraid don't know what that error implies. It's working on my side.
Possibly, it could indicate that your keys are not matching up. Maybe you should tear everything and start over. If you have keys in your local certificate store, clear it of all keys related to Always Encrypted. If you have them in Azure Key Vault, clear everything.
Then again as I said a number of times now: with enclaves there is little reason to use deterministic encryption, so stick with randomised.
deterministic gives much high performance in searching, indexing, etc. and saving lots spaces as we have millions of records each in hundreds of tables.
btw, We are using key vault to create the CMK, not certificate.
deterministic gives much high performance in searching, indexing,
Did you actually benchmark this? I mean, since you don't seem to be able to create deterministic encryption with enclaves, how would you know? (It's a different matter with you have AE without enclaves.)
and saving lots spaces
Maybe, but I did a quick test:
declare @ran varchar(100) = 'If you don''t see the message about misaligned reads';
declare @det varchar(100) = 'If you don''t see the message about misaligned reads';
insert into both (ran, determ) values (@ran, @det);
Then ran a SELECT from a machine where I don't have access to the keys, so I only saw the encrypted bits. I copied these to a window in SSMS. The hex strings had exactly the same length. But as this was a quick test, I might be missing something.In any case, from a security standpoint, randomised is a lot better.
we store payment xml and json plain text, so many columns are as big as 2k bytes; also we have database level encrypted out of the column level. but now looked we have to use randomised.