I'm currently studying SQL Server Always Encrypted feature. How can I disable column decryption to "sa" if all they have to do is add Column Encryption Setting=enabled in the login's additional login parameters in SQL Server Management Studio?
I read articles in Google. They only said we can secure data from admins but no example how.
Best Answer
The column encryption key (CEK) is used to encrypt the data and is stored in the database. The CEK is secured usingĀ a column master key (CMK).
The CMK is stored outside of SQL Server. Metadata about the key is stored within SQL Server.
If you restrict access to the CMK your database administrators / system administrators (sa) will not have the ability to decrypt.