configure-column-encryption-enclave-type.md

title	Server Configuration: column encryption enclave type
description	Find out how to enable or disable a secure enclave for Always Encrypted. Learn how to confirm whether an enclave was correctly initialized.
author	jaszymas
ms.author	jaszymas
ms.reviewer	randolphwest
ms.date	08/26/2025
ms.service	sql
ms.subservice	configuration
ms.topic	how-to
monikerRange	>=sql-server-ver15

Server configuration: column encryption enclave type

[!INCLUDE sqlserver2019-windows-only]

This article describes how to enable or disable a secure enclave for Always Encrypted with secure enclaves. For more information, see Always Encrypted with secure enclaves and Configure the secure enclave in SQL Server.

The column encryption enclave type server configuration option controls the type of a secure enclave used for Always Encrypted. The option can be set to one of the following values:

Value	Description
0	No secure enclave. The [!INCLUDE ssDE] doesn't initialize the secure enclave for Always Encrypted. As a result, the functionality of Always Encrypted with secure enclaves isn't available.
1	Virtualization based security (VBS). The [!INCLUDE ssDE] attempts to initialize a virtualization-based security (VBS) enclave.

Important

Changes to the column encryption enclave type don't take effect until you restart the [!INCLUDE ssNoVersion] instance.

You can check the configured enclave type value and the enclave type value currently in effect by using the sys.configurations view.

To confirm an enclave of the type (greater than 0) that is currently in effect was correctly initialized after the last restart of [!INCLUDE ssnoversion-md], check the sys.dm_column_encryption_enclave view:

• If the view contains exactly one row, the enclave is correctly initialized.
• If the view contains no rows, check the SQL Server error log for enclave initialization errors - see View the SQL Server error log in SQL Server Management Studio (SSMS).

For step-by-step instructions on how to configure a VBS enclave, see Step 2: Enable Always Encrypted with secure enclaves in SQL Server.

Examples

The following example enables the secure enclave and sets the enclave type to VBS:

EXECUTE sp_configure 'column encryption enclave type', 1;
GO

RECONFIGURE;
GO

The following example disables the secure enclave:

EXECUTE sp_configure 'column encryption enclave type', 0;
GO

RECONFIGURE;
GO

The following query retrieves the configured enclave type and the enclave type that is currently in effect:

USE [master];
GO

SELECT [value],
       CASE [value] WHEN 0 THEN 'No enclave' WHEN 1 THEN 'VBS' ELSE 'Other' END AS [value_description],
       [value_in_use],
       CASE [value_in_use] WHEN 0 THEN 'No enclave' WHEN 1 THEN 'VBS' ELSE 'Other' END AS [value_in_use_description]
FROM sys.configurations
WHERE [name] = 'column encryption enclave type';

Related content

• Server configuration options
• sp_configure
• RECONFIGURE (Transact-SQL)
• sys.configurations
• sys.dm_column_encryption_enclave
• Manage keys for Always Encrypted with secure enclaves