Microsoft has just announced that their “Always Encrypted” feature for Azure SQL has now been released to General Availability.
Always Encrypted allows you to consistently store columns of data within SQL tables as encrypted data. The encryption/decryption happens at the .NET calling layer so that the underlying data at rest is always encrypted. In order to encrypt/decrypt the calling application has to be registered, have sufficient permissions and access to the encryption keys.
By leveraging Always Encrypted, any DBA level access has no ability to decrypt the data without going through the application tier. Any direct SQL call will result in encrypted data being returned.
Another advantage to this approach is selective column encryption – only columns specified by the schema are encrypted such as personal information, credit card numbers, etc.