MSSQL Always Encrypted

Databases

SQL Server

MSSQL Security

MSSQL Encryption

Available in Enterprise, Standard, Express and Developer since SQL 2016 SP1

Columm level encryption

Deterministic - can be used in WHERE clauses, GROUP BY and JOINS and can be INDEXed.
Randomized - More secure, but non-searchable

SQL Server Native Client .NET 4.6

Windows Certificate Store - deployed to each application server
Azure Key Vault - auditable central store but needs reliable internet

Gotchas

Distributed Queries (linked servers)
No Default or Check Constraints
No Partition Columns
Columns Reference By Computed Columns
No transactional/Merge Replication
Aggregations
Columns with the IDENTITY property
No Triggers

SQL2019 Secure Enclaves address some of these issues ("Allow Enclave Computations" must be turned on, and see "Always Encrypted" tab in SSMS connection box).

Bibliography

https://sqlespresso.com/2017/11/29/how-to-get-started-with-always-encrypted-for-beginners-part-1/https://sqlespresso.com/2017/12/13/how-to-get-started-with-always-encrypted-for-beginners-part-2/https://sqlespresso.com/2018/01/17/how-to-get-started-with-always-encrypted-for-beginners-part-3-one-two-punch/https://sqlespresso.com/2018/06/13/how-to-get-started-with-always-encrypted-for-beginners-part-4-change-is-coming/https://www.sentryone.com/blog/aaronbertrand/t-sql-tuesday-69-always-encrypted-limitationshttps://dba.stackexchange.com/questions/194013/securing-always-encrypted-sql-server-from-sahttps://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/create-and-store-column-master-keys-always-encryptedhttps://www.idera.com/resource-center/webcasts/geeksync/always-encrypted-for-beginners/thankyou/
https://sdtimes.com/devops/a-developers-guide-to-key-storage-providers/
Always Encrypted with Secure Enclaveshttps://techcommunity.microsoft.com/t5/azure-sql-blog/how-to-convert-always-encrypted-to-always-encrypted-with-secure/ba-p/4081456