Always Encrypted

Windows certificate store (Windows only)

Documentation on configuring always encrypted on SQL Server using Windows certificate store
Documentation on configuring always encrypted on Azure SQL using Windows certificate store. You can follow up to "Create a client application that works with the encrypted data" skipping the "Create a table" step and instead let Django handle creating the tables by running python manage.py migrate.

After encrypting the columns change settings.py to enable decryption. Put "extra_params": "ColumnEncryption=Enabled;" in the OPTIONS dictionary in the DATABASES dictionary in settings.py e.g.:

DATABASES = {
    "default": {
        "ENGINE": "mssql",
        ...
        "OPTIONS": {
          ...
          "extra_params": "ColumnEncryption=Enabled;"
        },
    },
}

Azure key vault (Windows + Linux using ODBC 17.9)

Documentation on how to configure Always Encrypted using Azure Key Vault. You can follow up to "Create a client application that works with the encrypted data" skipping the "Create a table" step and instead let Django handle creating the tables by running python manage.py migrate.

If the Always Encrypted wizard doesn't work you can manually add the Key Vault by right clicking Columns Master Keys folder found under the Security > Always Encrypted Keys in SSMS.

and selecting New Column Master Key ..., changing Key store to Azure Key Vault and selecting the key to use. If you do it this way choose the key you added in the Select column master key dropdown instead of choosing Auto generate column master key in the Master Key Configuration section.

After encrypting the columns change settings.py to enable decryption. Put "extra_params": "ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultClientSecret;KeyStorePrincipalId=XXXXX;KeyStoreSecret=YYYYY" where XXXXX and YYYYY are the Application (client) ID and Client secret value in the OPTIONS dictionary in the DATABASES dictionary in settings.py e.g:

DATABASES = {
    "default": {
        "ENGINE": "mssql",
        ...
        "OPTIONS": {
          ...
          # Replace XXXXX and YYYYY with Application (client) ID and Client secret value respectively
          "extra_params": "ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultClientSecret;KeyStorePrincipalId=XXXXX;KeyStoreSecret=YYYYY"
        },
    },
}

Only client ID/secret is supported. Username/password, Managed Identity and AKV Interactive are unsupported at this time.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Always Encrypted

Windows certificate store (Windows only)

Azure key vault (Windows + Linux using ODBC 17.9)

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally