The capabilities this brings are
- In-place encryption. Encrypt column, rotate a column encryption key, or change an encryption type of a column, without moving your data out of the database
- Rich computations. The engine can delegate some operations on encrypted database columns to the enclave. It can decrypt the sensitive data and execute requested operations in a query on plain text values.
Always Encrypted with secure enclaves allows computations on plain text data inside a secure enclave on the server side. Microsoft define a secure enclave as a protected region of memory within the SQL Server process. It acts as a trusted execution environment for processing sensitive data inside the SQL Server engine. A secure enclave is a black box to SQL Server and other processes on the server. It is not possible to view any data or code inside the enclave from the outside, even with a debugger.
You can now try and evaluate in tpreview of SQL Server 2019.
This shows what an admin would see when browsing the enclave memory using a debugger (note the question marks, as opposed to the actual memory content).
Always Encrypted with Secure Enclaves – Try It Now in SQL Server 2019 Preview!
Always Encrypted with Secure Enclaves