Enable Always Encrypted with secure enclaves in Azure SQL Database

Applies to: Azure SQL Database

In Azure SQL Database, Always Encrypted with secure enclaves can use either Intel Software Guard Extensions (Intel SGX) enclaves or Virtualization-based Security (VBS) enclaves. For more information, see Plan for secure enclaves in Azure SQL Database.

For Intel SGX to be available, the database must use the vCore model and DC-series hardware.

Configuring the DC-series hardware to enable Intel SGX enclaves is the responsibility of the Azure SQL Database administrator. For more information, see Roles and responsibilities when configuring Intel SGX enclaves and attestation.

Note

Intel SGX is not available in hardware configurations other than DC-series. For example, Intel SGX is not available for standard-series (Gen5) hardware, and it is not available for databases using the DTU model.

Important

Before you configure the DC-series hardware for your database, check the regional availability of DC-series and make sure you understand its performance limitations. For more information, see DC-series.

For detailed instructions on how to configure a new or existing database to use a specific hardware configuration, see Hardware configuration.

For more information, review Configure Azure Attestation for your Azure SQL database server.

See also