Parameterizing Always Encrypted Statements

Jakub Szymaszek shows off Parameterizing for Always Encrypted in SSMS 17.0:

First thing to note is that SSMS has rewritten the query as a parameterized statement. The literal, used to initialize the @SSN variable in the original query, is being passed inside a parameter, with an auto-generated name (@pdf9f37d6e63c46879555e4ba44741aa6). This allows the .NET Framework Data Provider for SQL Server to automatically detect that the parameter needs to be encrypted. The driver achieves that by calling sp_describe_parameter_encryption that prompts SQL Server to analyze the query statement and determine which parameters should be encrypted and how. Then, the driver, transparently encrypts the parameter value, before submitting the query to SQL Server for execution via sp_executesql. SQL Server can now successfully execute the query.

Read the whole thing.  Setting this up does obviate part of a benefit to using Always Encrypted:  the ability completely to lock out a database administrator from certain pieces of data.

Related Posts

Protecting Database Assets From Administrators

Louis Davidson walks through which things are granted to administrators of different levels: Own is a strange term, because really there is just one user that is listed as owner, but there are there are three users who essentially are owner level, super-powered users in a database: 1. A login using server rights, usually via […]

Read More

Victimless Deadlocks And SSMS

Michael J. Swart shows a scenario where the deadlock graph fails to open in SQL Server Management Studio: I recently got this error in Management Studio when trying to view a deadlock graph that was collected with an extended events session: Failed to initialize deadlock control. Key cannot be null. Parameter name: key I found […]

Read More


December 2016
« Nov Jan »