You can configure Always Encrypted behavior for the driver by specifying the following values for the ColumnEncryption connection property:
If set to Enabled, the driver fully supports Always Encrypted functionality. The driver transparently decrypts result sets and returns them to the application. In addition, the driver transparently encrypts parameter values that are associated with encrypted columns.
If set to ResultsetOnly, only decryption is enabled. The driver transparently decrypts result sets and returns them to the application. Queries containing parameters that affect encrypted columns will return an error.
If set to Disabled (the default), Always Encrypted functionality is disabled. The driver does not attempt to decrypt data from encrypted columns and returns the data as binary-formatted cipher text. However, statements containing parameters that reference encrypted columns are not supported and will return an error.
By default, Always Encrypted is disabled (ColumnEncryption=Disabled). For more information on configuring the ColumnEncryption property, see "ColumnEncryption."
When Always Encrypted is enabled (ColumnEncryption=Enabled | ResultsetOnly), the driver must be configured to use a keystore provider; otherwise, an error will be returned. See "Using keystore providers" for details.
If set to Enabled, the driver fully supports Always Encrypted functionality. The driver transparently decrypts result sets and returns them to the application. In addition, the driver transparently encrypts parameter values that are associated with encrypted columns.