The short answer is, you don’t.
The entire point of Always Encrypted is that the DBA can’t view or modify the data using SQL Server Management Studio. The only way to view and change the data is by using the front end application that created the data. This means that if someone submits a ticket to your team to change some data, you won’t be able to. You’ll have to refer that ticket back to someone in the business to have them make the change using the application just like a normal user would as you can’t touch the data.
Denny
The post When using Always Encrypted in SQL Server 2016, how do I as the DBA view the data? appeared first on SQL Server with Mr. Denny.
One Response
In a proper environment, thats true. However, if the DBA gets a copy of the certificate, then he just needs to add “Column Encryption Setting=enabled” to SSMS. I’ve been told (and will verify by Philly) that as of RC3 you actually need the certificate on the server so if the DBA has local admin on the OS hosting the server, they could get the certificate in most scenarios.
Its definitely possible to prevent the DBA from getting the certificate, and its probably possible (read: I never tried, but its my understanding) to use azure key store in such a way that the only people with access to the keys don’t have access to the database.