Specifies whether the driver is enabled for Always Encrypted functionality when accessing data from encrypted columns.
The application can override the value for this option by setting a value for the SQL_SOPT_SS_COLUMN_ENCRYPTION statement attribute in an SQL Statement, thereby allowing you to enable/disable support for the Always Encrypted feature during the same connection. By enabling support only as needed, you can avoid some of the overhead associated with processing queries using Always Encrypted and improve performance. The Column Encryption option must be set to Enabled to use the SQL_SOPT_SS_COLUMN_ENCRYPTION statement attribute. See the "Enabling Always Encrypted" for more information.
Valid Values
Disabled | Enabled
Behavior
If set to Enabled, the driver fully supports Always Encrypted functionality. The driver transparently decrypts result sets and returns them to the application. In addition, the driver transparently encrypts parameter values that are associated with encrypted columns.
If set to ResultsetOnly, the driver transparently decrypts result sets and returns them to the application. Queries containing parameters that affect encrypted columns will return an error.
If set to Disabled, the driver does not use Always Encrypted functionality. The driver does not attempt to decrypt data from encrypted columns, but will return data as binary formatted cipher text. However, statements containing parameters that reference encrypted columns are not supported and will return an error.
Notes
When Always Encrypted functionality is enabled (ColumnEncryption=Enabled | ResultsetOnly), the driver transparently supports both randomized encryption and deterministic encryption.
Parameter markers must be used when specifying values that are associated with encrypted columns. If literal values are specified in a statement targeting encrypted columns, the driver will return an error.
If you using the Azure Key Vault as your keystore provider, values for the Key Store Principal ID (AEKeystorePrincipalId) and Key Store Secret (AEKeystoreClientSecret) options must be specified.