Secure your data with functionally always encrypted.
Azure allows their database users to encrypt their data with “always encrypted”. This is a system that uses transparent data encryption in combination with other encryption methods to ensure that data is always encrypted in every state it is being used.

In this blog, we will answer the question, “is always encrypted actually always encrypted?” We will also discuss the specifics of what always encrypted means for database administrators and security administrators that are using always encrypted in Azure.
Transparent Data Encryption
To understand one of the most important encryption phases that happens during always encrypted, we will first have to understand how transparent data encryption works. In transparent data encryption columns are decrypted 1 at a time with a “column key” and a “master key”. The data cannot be decrypted without both keys which makes it more secure than conventional encryption.
With only one column decrypted at a time, even if a malicious actor got a hold of the data, they would be limited to a single column, not the entire record. This form of encryption is used during the always encrypted process to encrypt the data column by column.

Always Encrypted Example
To demonstrate how TDE is used with other encryption methods, a data flow diagram below demonstrates how the data is encrypted from end to end. The data is transferred to the app using HTTPS. The data going between the app and the database is encrypted transparently using TDE.

Where the Data is Not Encrypted
Even though a significant amount of effort went into making sure that the data was in an encrypted state at every phase, there is still a point where it is not encrypted. While the sensitive data is in being transitioned between the app and the database, the data is not encrypted.
What This Means for Admins
Since the data is decrypted while in use by the app, it is important for security admins to help with securing the app that is using the always encrypted data. If malicious actors cannot access internal processes of the app, they will not have any openings to get to the data while it’s unencrypted.
Software developers and security engineers can help secure the data by enforcing good hygiene on the software development end with a secure development lifecycle. They can also help secure the data by using a key rotation policy that will make sure that guessing the master and columns keys is less likely to happen.
We will continue to share best practices and lessons learned in future posts on using encryption to secure data. As more data goes into the cloud it is important to make sure that the encryption that the data goes through is securing the data as much as possible.
In closing, consider these three questions when using always encrypted in your organization:
- Do we need to set up encryption at every stage that the data goes through?
- Is the small window where the data is not encrypted significant to our organization or is functionally always encrypted all we need?
- Are we using an encryption key management service to make sure that the data is secured according to best practices?
