You can configure the default behavior for Always Encrypted by specifying one of following values for the Column Encryption connection option (ColumnEncryption):
If set to Enabled, the driver fully supports Always Encrypted functionality. The driver transparently decrypts result sets and returns them to the application. In addition, the driver transparently encrypts parameter values that are associated with encrypted columns.
If set to ResultsetOnly, the driver transparently decrypts result sets and returns them to the application. Queries containing parameters that affect encrypted columns will return an error.
If set to Disabled (default), the driver does not use Always Encrypted functionality. The driver does not attempt to decrypt data from encrypted columns, but will return data as binary formatted cipher text. However, statements containing parameters that reference encrypted columns are not supported and will return an error.
The behavior specified for the Column Encryption option acts as the default for the connection; however, you can override this behavior on a per-statement basis by specifying a value for the SQL_SOPT_SS_COLUMN_ENCRYPTION statement attribute. By using this statement attribute, you can toggle support for Always Encrypted to suit the applications requirements without having to establish a new connection. This allows you to avoid some of the overhead associated with encrypting and decrypting data when accessing tables that do not contain encrypted columns. To use the SQL_SOPT_SS_COLUMN_ENCRYPTION statement attribute, the Column Encryption connection option must be set to Enabled or ResultsetOnly.
For details on configuring the Column Encryption option, see "Column Encryption." See the following section for more information on using the statement attribute.
Depending on your keystore provider, you may need to further configure the driver to connect when Always Encrypted is enabled (ColumnEncryption=Enabled | ResultsetOnly). See "Using keystore providers" for details.
Enabling Always Encrypted programmatically
To override the default behavior for the connection or DSN when Always Encrypted is enabled (ColumnEncryption=Enabled | ResultsetOnly), specify one of the following values for the SQL_SOPT_SS_COLUMN_ENCRYPTION statement attribute in a SQL Statement:
Always Encrypted functionality is fully enabled. The driver transparently decrypts result sets and returns them to the application. In addition, the driver transparently encrypts parameter values that are associated with encrypted columns.
SQL_CE_RESULTSETONLY (2)
Only decryption is enabled. The driver transparently decrypts result sets and returns them to the application. Queries containing parameters that affect encrypted columns will return an error.
SQL_CE_DISABLED (0)
Always Encrypted functionality is disabled. The driver does not attempt to decrypt data from encrypted columns and returns the data as binary-formatted cipher text. Execution of statements containing parameters that affect encrypted columns are not supported and will return an error.