Skip to content

Commit

Permalink
OOB Publish 11/12 - 11:15 AM PST (#32375)
Browse files Browse the repository at this point in the history
* [SSMS 21] New SSMS 21 content for Public Preview release [Scheduled release 11/12/2024] (#32369)

* Always Encrypted Wizard

* Update always-encrypted-wizard-ssms-21.md

* Update docs/relational-databases/security/encryption/always-encrypted-wizard-ssms-21.md

Co-authored-by: Mark Ghanayem <22989000+markingmyname@users.noreply.github.com>

* Delete sql-docs-pr.sln

* Update always-encrypted-wizard-ssms-21.md

I reviewed the PR in detail and made some changes.

Please review then sign off on this PR.  

Thank you.

* Acrolinx score improvement

* Additional edit pass

* Fix bullets

* Correct list indentation

* Correct indentation

* [REQUIRES SQUASH] [SSMS 21] New Content for SSMS 21 release (#32229)

* [SSMS 21]  New Content for SSMS 21 release

* Add and modify

* Add more files

* faqyaml

* Apply suggestions from code review

* Update docs/ssms/ssms-21/known-issues.md

* More files

* More files

* updates to FAQ

* added more questions to faq

* update faq and roadmap articles

* removed legal articles

* created a new folder called install

* replace vs_enterprise with vs_ssms

* Specific edits on where to add "SSMS" in metadata and article

* acrolinx improvement to 3 files

* fix broken links MicrosoftDocs#1

* removed 21 preview from line 17

* fix broken links MicrosoftDocs#2

* Working changes (include file for product name)

* DocsCleaner pass

* More broken links

* Incorporated feedback, and added TOC

* addressed comments in PR

* more edits

* Updates to docs

* acrolinx improvements

* address warnings and suggestions

* pushed more changes

* addressed more warnings and suggestions

---------

Co-authored-by: Randolph West MSFT <97149825+rwestMSFT@users.noreply.github.com>
Co-authored-by: Erin Stellato <98599126+erinstellato-ms@users.noreply.github.com>

* Fix links

* Fix links and raise up Acrolinx scores

* Merge the streams

* Additional tweak

* Add new known issues

---------

Co-authored-by: Pieter Vanhove <pieter.vanhove@microsoft.com>
Co-authored-by: Randolph West MSFT <97149825+rwestMSFT@users.noreply.github.com>
Co-authored-by: Dennis Rea <61802807+denrea@users.noreply.github.com>
Co-authored-by: Alma Jenks <v-alje@microsoft.com>
Co-authored-by: Erin Stellato <98599126+erinstellato-ms@users.noreply.github.com>

* update link in release notes ssms 21 - line 22 (#32378)

---------

Co-authored-by: Mark Ghanayem <22989000+markingmyname@users.noreply.github.com>
Co-authored-by: Pieter Vanhove <pieter.vanhove@microsoft.com>
Co-authored-by: Randolph West MSFT <97149825+rwestMSFT@users.noreply.github.com>
Co-authored-by: Dennis Rea <61802807+denrea@users.noreply.github.com>
Co-authored-by: Alma Jenks <v-alje@microsoft.com>
Co-authored-by: Erin Stellato <98599126+erinstellato-ms@users.noreply.github.com>
  • Loading branch information
7 people authored Nov 12, 2024
1 parent fe65bb2 commit 395b01a
Show file tree
Hide file tree
Showing 27 changed files with 2,082 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
---
title: "Configure column encryption using Always Encrypted Wizard in SSMS 21"
description: Learn how to configure Always Encrypted for database columns by using the Always Encrypted Wizard in SSMS 21.
author: pietervanhove
ms.author: pivanho
ms.reviewer: vanto, maghan, randolphwest
ms.date: 11/12/2024
ms.service: sql
ms.subservice: security
ms.topic: concept-article
f1_keywords:
- "sql13.swb.alwaysencryptedwizard.f1"
helpviewer_keywords:
- "Wizard, Always Encrypted"
monikerRange: "=azuresqldb-current || >=sql-server-2016 || >=sql-server-linux-2017 || =azuresqldb-mi-current"
---

# Configure column encryption using Always Encrypted Wizard in SSMS 21 Preview

[!INCLUDE [SQL Server Azure SQL Database Azure SQL Managed Instance](../../../includes/applies-to-version/sql-asdb-asdbmi.md)]

The Always Encrypted Wizard is a powerful tool that allows you to set the desired [Always Encrypted](always-encrypted-database-engine.md) configuration for selected database columns. Depending on the current configuration and the desired target configuration, the wizard can encrypt a column, decrypt it (remove encryption), or re-encrypt it (for example, using a new column encryption key or an encryption type that is different from the current type, configured for the column). Multiple columns can be configured in a single run of the wizard.

The wizard allows you to encrypt columns with existing encryption keys, generate a new column encryption key, or both a new column encryption key and a new column master key.

The wizard's assessment allows you to evaluate the tables in a selected database or choose specific tables to analyze. It identifies columns suitable for encryption and highlights those incompatible with Always Encrypted due to their data type, constraints, and other factors. The wizard provides a detailed list of restrictions for each field, explaining why specific columns can't be encrypted.

When your database is configured with a secure enclave, you can run cryptographic operations in place without moving data out of the database. The wizard removes all dependencies blocking the schema change of the column to be encrypted. It issues an in-place encryption for each column using the enclave within the database engine. When the encryption is finished, the wizard recreates the dependencies. For more information about Always Encrypted with secure enclaves, see [Always Encrypted with secure enclaves](always-encrypted-enclaves.md).

When your database isn't configured with a secure enclave, the wizard allows you to enable a secure enclave. Suppose you choose not to enable a secure enclave or you aren't using enclave-enabled keys. In that case, the wizard moves data out of the database and performs cryptographic operations within the SSMS process. The wizard creates a new table (or tables) with the desired encryption configuration in the database, loads all data from the original tables, performs the requested cryptographic operations, uploads the data to the new tables, and then swaps one or more original tables with the new tables.

> [!TIP]
> Using in-place encryption using Always Encrypted with secure enclaves, if available in your environment, might substantially reduce the time and the reliability of cryptographic operations.
Running cryptographic operations can take a long time. During that time, your database isn't available to write transactions. PowerShell is a recommended tool for cryptographic operations on larger tables. See [Configure column encryption using Always Encrypted with PowerShell](configure-column-encryption-using-powershell.md) or [Configure column encryption in-place with PowerShell](always-encrypted-enclaves-configure-encryption-powershell.md).

- For an end-to-end walk-through that shows how to configure Always Encrypted with the wizard and use it in a client application, see the following Azure SQL Database tutorials:

- [Protect sensitive data in Azure SQL Database with Always Encrypted and column master keys in Windows certificate store](/azure/azure-sql/database/always-encrypted-certificate-store-configure)

- [Protect sensitive data in Azure SQL Database with Always Encrypted and column master keys in Azure Key Vault](/azure/sql-database/sql-database-always-encrypted-azure-key-vault)

- For information about Always Encrypted keys, see [Overview of key management for Always Encrypted](overview-of-key-management-for-always-encrypted.md).

- For information about encryption types supported in Always Encrypted, see [Selecting Deterministic or Randomized Encryption](always-encrypted-database-engine.md#selecting--deterministic-or-randomized-encryption).

## Permissions

To perform cryptographic operations using the wizard, you must have the `VIEW ANY COLUMN MASTER KEY DEFINITION` and `VIEW ANY COLUMN ENCRYPTION KEY DEFINITION` permissions. You also need key store permissions to create, access, and use your column master key. For detailed information on key store permissions, go to [Create and store column master keys for Always Encrypted](create-and-store-column-master-keys-always-encrypted.md), or find a section relevant to your key store.

## Open the Always Encrypted wizard

You can launch the wizard at three different levels:

- You can encrypt multiple columns in different tables at a database level.
- At a table level, if you want ypt multiple columns in the same table.
- At a column level, if you want ypt one specific column.

1. Connect to your [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] with the Object Explorer component of [!INCLUDE [ssManStudioFull](../../../includes/ssmanstudiofull-md.md)].

1. To encrypt:

    - Multiple columns located in different tables in a database, right-click your database, point to **Tasks**, and then select **Always Encrypted Wizard**.

    - Multiple columns in the same table, navigate to the table, right-click on it, and then select **Always Encrypted Wizard**.

    - An individual column, navigate to the column, right-click on it, and then select **Always Encrypted Wizard**.

## Column Selection page

On this page, you select columns to encrypt, re-encrypt, or decrypt and define the target encryption configuration for them.

To encrypt a plaintext column (a column that isn't encrypted), select an encryption type (**Deterministic** or **Randomized**) and an encryption key for the column.

Select the desired encryption type and the key to change an encryption type or rotate (change) a column encryption key for an already encrypted column.

If you want the wizard to encrypt or re-encrypt one or more columns using a new column encryption key, pick a key containing **(New)** in its name. The wizard generates the key.

To decrypt a currently encrypted column, select **Plaintext** for the encryption type.

> [!TIP]
> If you want to use in-place encryption and you're using existing keys, make sure you select enclave-enabled keys, annotated with **(enclave-enabled)**.
The wizard doesn't support cryptographic operations on temporal and in-memory tables. You can create empty temporal or in-memory tables using Transact-SQL and insert data using your application.

## Column Assessment page

The selected tables and columns are assessed for suitability for Always Encrypted, or Always Encrypted with secure enclaves. The assessment starts automatically by showing a status bar and a list of the tables and columns it currently assesses, which are done, and which are to do. The assessment checks if a table column meets the requirements for Always Encrypted or Always Encrypted with secure enclaves based on the [limitations](../../../relational-databases/security/encryption/always-encrypted-database-engine.md#limitations).

If a column doesn't meet the requirements, the assessment displays an "Error" status for that column. Selecting the Messages link lets you get detailed information about why that specific column can't be encrypted.

You can encrypt the passed assessment columns by checking the checkbox. The wizard automatically skips any columns that don't pass the assessment. Additionally, you can export the results to a CSV or text file by selecting the Report button.

## Master Key Configuration page

If you selected an autogenerated column encryption key for any column on the previous page, you need to either select an existing column master key or configure a new column master key that encrypts the column encryption key on this page.

When configuring a new column master key, you can either pick an existing key in Windows Certificate Store or Azure Key Vault and have the wizard create just a metadata object for the key in the database, or you can choose to generate both the key and the metadata object describing the key in the database.

To use in-place encryption, select **Allow enclave computations** for a new column master key. Selecting this checkbox is allowed only if your database is configured with a secure enclave.

For more information about creating and storing column master keys in Windows Certificate Store, Azure Key Vault or other key stores, see [Create and store column master keys for Always Encrypted](../../../relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted.md) or [Manage keys for Always Encrypted with secure enclaves](../../../relational-databases/security/encryption/always-encrypted-enclaves-manage-keys.md).

> [!TIP]
> The wizard allows you to browse and create keys only in the Windows Certificate Store and Azure Key Vault. It also auto-generates the names of the new keys and the database metadata objects describing them. Suppose you need more control over how your keys are provisioned (and more choices for a key store containing your column master key). In that case, you can use the **New Column Master Key** and **New Column Encryption Key** dialogs to create the keys first, and then run the wizard and pick the keys you have created. See [Provision Column Master Keys with the New Column Master Key Dialog](configure-always-encrypted-keys-using-ssms.md#provision-column-master-keys-with-the-new-column-master-key-dialog) or [Provision enclave-enabled keys](always-encrypted-enclaves-provision-keys.md) and [Provision Column Encryption Keys with the New Column Encryption Key Dialog](configure-always-encrypted-keys-using-ssms.md#provision-column-encryption-keys-with-the-new-column-encryption-key-dialog).
## In-Place Encryption Settings page

If you have configured a secure enclave in your database and you're using enclave-enabled keys, this page allows you to specify the enclave attestation parameters required for in-place encryption. If you don't want to use in-place encryption, unselect **Use in-place encryption for eligible columns** to proceed with client-side encryption. We recommend leaving this checkbox enabled so that the wizard can use in-place encryption.

For more information about enclave attestation, see [Configure attestation for Always Encrypted using Azure Attestation](/azure/azure-sql/database/always-encrypted-enclaves-configure-attestation)

## Related content

- [Always Encrypted](../../../relational-databases/security/encryption/always-encrypted-database-engine.md)
- [Always Encrypted with secure enclaves](../../../relational-databases/security/encryption/always-encrypted-enclaves.md)
- [Overview of key management for Always Encrypted](overview-of-key-management-for-always-encrypted.md)
2 changes: 2 additions & 0 deletions docs/ssms/download-sql-server-management-studio-ssms.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ For customers needing a cross-platform companion to SSMS for managing SQL and ot

For details and more information about what's new in this release, see [Release notes for SQL Server Management Studio (SSMS) 20.2](release-notes-ssms.md).

For details and download information for SQL Server Management Studio 21 Preview 1, see [Install SQL Server Management Studio 21 Preview](../ssms/install/install.md)

## Download SSMS

:::image type="icon" source="../includes/media/download.svg" border="false"::: **[Download SQL Server Management Studio (SSMS) 20.2](https://aka.ms/ssmsfullsetup)**
Expand Down
8 changes: 8 additions & 0 deletions docs/ssms/includes/ssms-21-md.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
author: rwestMSFT
ms.author: randolphwest
ms.date: 11/12/2024
ms.service: sql
ms.topic: include
---
SQL Server Management Studio 21 Preview
14 changes: 14 additions & 0 deletions docs/ssms/includes/support.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
author: erinstellato-ms
ms.author: erinstellato
ms.date: 11/12/2024
ms.service: sql
ms.subservice: ssms
ms.topic: include
---

## Support or troubleshooting

Sometimes, things can go wrong. If your SSMS installation fails, see [Troubleshoot installation and upgrade issues for SQL Server Management Studio 21 Preview](../install/troubleshoot.md) for step-by-step guidance.

You can reference [SQL user feedback](https://aka.ms/ssms-feedback) for other known issues (filter on **Tooling** under **Groups**) and to provide feedback to the product team.
Loading

0 comments on commit 395b01a

Please sign in to comment.