Microsoft SQL Server Always Encrypted - Integration Guide

This document contains instructions for integrating Microsoft SQL Server Always Encrypted with Luna HSM devices. In case of Microsoft SQL Server Always Encrypted, the term “Always” implies that data is encrypted all the time; not just at rest, but also during flight. Furthermore, the encryption keys themselves – which are essential for both encrypting and decrypting – are not stored in the database. Those keys stay with you, at the client side. Data when it arrives at the client can be decrypted on the client and by the client, who possesses the necessary keys. Likewise, when inserting or updating new data, that data gets encrypted immediately on the client, before it ever leaves the client, and remains encrypted in-flight all the way to the database server, where SQL Server can only store it in that encrypted state – it cannot decrypt it.

Always Encrypted is a hybrid feature, where all the encryption and decryption occurs exclusively on the client side. Using Luna HSMs with Microsoft SQL Server Always Encrypted provides the following benefits:

• Secure generation, storage and protection of the encryption key on FIPS 140-2 level 3 validated hardware.
• Full life cycle management of the keys.
• HSM audit trail.
• Significant performance improvements by off-loading cryptographic operations from application servers