Table of Contents
Can You Use Always Encrypted for Selective Column-Level Encryption?
Learn how Azure SQL’s Always Encrypted feature enables selective, column-level encryption of sensitive data. For AZ-500 exam, master client-side encryption by understanding how to protect individual database columns while the data is in use, in transit, and at rest.
Question
You cannot configure Always Encrypted for individual database columns containing your sensitive data.
A. TRUE
B. FALSE
Answer
B. FALSE
Explanation
The statement is B. FALSE. The core design of Always Encrypted is to provide granular, column-level encryption, allowing you to selectively protect individual columns that contain sensitive data.
You can encrypt individual database columns.
Column-Level Encryption with Always Encrypted
Always Encrypted is a client-side encryption technology. This means that sensitive data is encrypted by an enabled client driver before it is ever sent to the database engine. The database itself only ever stores the encrypted ciphertext, never the plaintext data. This protects the data from high-privilege but unauthorized users, such as database administrators (DBAs) or cloud operators.
The mechanism relies on two types of keys:
- Column Encryption Keys (CEKs): These are the keys used to actually encrypt the data within a specific column.
- Column Master Keys (CMKs): These are keys that protect the Column Encryption Keys. The CMK is stored in a trusted key store external to the database, such as Azure Key Vault or the Windows Certificate Store on the client machine. The database engine has no access to the CMK.
Configuration and Granularity
The process of configuring Always Encrypted is explicitly designed around selecting individual columns.
- Configuration Wizard: Using tools like SQL Server Management Studio (SSMS) or Azure Data Studio, you run a wizard that lists the tables in your database. You can then select specific columns (e.g., CreditCardNumber, SocialSecurityNumber) to encrypt.
- Deterministic vs. Randomized Encryption: For each selected column, you must choose an encryption type. Randomized encryption is more secure as it encrypts the same plaintext value to different ciphertext values. Deterministic encryption always produces the same ciphertext for a given plaintext value, which is less secure but allows for equality lookups, grouping, and joining on the encrypted columns.
- Selective Application: This granular control is a key benefit. You can choose to encrypt only the PII or sensitive data columns in a table, leaving non-sensitive columns in plaintext. This minimizes the performance overhead and query limitations associated with encryption, applying it only where necessary.
Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.