Always Encrypted feature in SQL Server 2016

Always Encrypted is designed to allow encrypted data to always be encrypted but still allow SQL Server to work with the data.

1. Data is encrypted at all times and will only be decrypted once it reaches the application:
   In the diagram above you see that the data for one or more columns of a table is stored in an encrypted state. When SQL Server acts on this data locally it acts only on the encrypted version. It never decrypts it and so it’s encrypted in memory as well as on the wire as it transits the network (or Internet) on the way to the client. SQL Server treats the encrypted data as if it were the raw field. Only at the point where the data reaches the client is it decrypted for use in your applications. This makes the encrypted data nearly impervious to man-in-the-middle attacks or file based decryption on the server.
   
2. Encryption keys are not stored on the server
   SQL Server will not store the keys to decrypt the data it stores in Always On Encrypted fields.
   You have to register on the server but the certificate will be available on the clients and the actual certificate is not accessible on the server. The client can store the encryption keys currently in the local certificate store and in time in Azure Key Vaults or Hardware Security Modules. One thing to consider is that SQL Server DBAs will not be able to view any of the encrypted data during migrations, imports, etc.
   Other work around will be to install the client certificate locally on the server but that would negate much of the security of Always On Security by giving a hacked server access to the encrypted data.
   
3. Always on Encrypted columns support only equality operators only
   As the data is encrypted in SQL Server only column equality is supported. That means you can use equality in WHERE, JOIN, and GROUP BY clauses but you can’t use LIKE or other aggregation or pattern matching features like SUM, SUBSTRING, etc.
   
4. You need to upgrade your client software to .NET 4.6
   As the encryption and decryption is done at the client, your clients will need to upgrade to the new version of the .NET framework which is 4.6. Version 1 currently only supports SQL Server Client driver but ODBC and JDBC drivers will be coming at a later date.
   
5. This is not TDE (Transparent Data Encryption)TDE is a feature of SQL Server that encrypts the data files themselves on the server. This is basically encrypting your entire database. While this provides security for stored or “at rest” data, once the file is decrypted by SQL Server the data remains decrypted in plain text in memory and when it’s sent across the wires.
   Always On Encryption will encrypt the data in memory and on the wire but due to the performance hit on the client it’s not recommended to secure every field in a table or database as TDE does. So you need to consider this when you decide which security feature to implement.
   
6. Encrypted columns take significantly more space
   While columns defined with Always On Encryption specify the size of the original decrypted data they actually store the encrypted value which can be much larger. This we need to consider while deciding on the number of columns to be encrypted in your table.