Microsoft yesterday announced the general availability of Always Encrypted in Azure SQL Database. Always Encrypted is a feature designed to protect sensitive data, such as credit card numbers or national identification numbers (e.g. U.S. social security numbers), stored in Azure SQL Database or SQL Server databases. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the Database Engine (SQL Database or SQL Server). Encryption keys are managed outside of the database for maximum safety and separation of duties. Only authorized users with access to the encryption keys can see unencrypted data while using your applications.
For example, an admitting nurse may have a business need to access a patient’s unencrypted social security number, but that data does not need to be visible anywhere else in the system. With Always Encrypted, patients’ social security numbers are stored encrypted in the database at all times even during query processing, allowing decryption at the point of use by authorized staff or applications that need to process that data.
Client drivers have been enhanced to work in conjunction with the database engine to decrypt and encrypt data at the point of use, requiring only minimal modifications to your applications. Microsoft currently supports Always Encrypted in .NET Framework Data Provider for SQL Server and will be supported in JDBC and ODBC soon.
Visit the Always Encrypted documentation page for more details.