Always Encrypted with secure enclaves – Intel SGX vs VBS

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

Always Encrypted with secure enclaves is a feature of Azure SQL Database that allows you to protect sensitive data from unauthorized access, even from the database administrators. Secure enclaves are regions of memory isolated from the server that can perform computations on encrypted data without revealing the plaintext. When processing SQL queries, the database engine delegates computations on encrypted data to a secure enclave. The code in the enclave decrypts the data and performs computations on plaintext. This can be done safely, because the enclave has strong isolation guarantees. It is a black box to the containing database engine process and the OS, so database administrators or machine administrators cannot see the data inside the enclave.


By leveraging secure enclaves, Always Encrypted can support rich confidential queries, including pattern matching, range comparisons, sorting and more. It also enables in-place cryptographic operations, such as encrypting existing data or rotating the data encryption keys.


Azure SQL Database supports two types of secure enclaves: Intel SGX enclaves and VBS enclaves. In this blog post, we will compare these two options and help you choose the best one for your use case.


What are Intel SGX enclaves and VBS enclaves?

Intel Software Guard Extensions (Intel SGX) enclaves is a hardware-based trusted execution environment technology. Intel SGX protects data actively being used in the processor and memory by creating a trusted execution environment (TEE) called an enclave.


Virtualization-based Security (VBS) enclaves (also known as Virtual Secure Mode, or VSM enclaves) is a software-based technology that relies on Windows hypervisor and doesn't require any special hardware. The hypervisor creates a logical separation between the “normal world” and “secure world”, designated by Virtual Trust Levels, VTL0 and VT1, respectively. VBS secure memory enclaves create a means for secure, computation in an otherwise untrusted environment.


What are the advantages and disadvantages of Intel SGX and VBS enclaves?

The main advantage of Intel SGX enclaves is that they provide stronger security guarantees than VBS enclaves. Intel SGX enclaves are resistant to attacks from the host operating system.

The main disadvantage of Intel SGX enclaves is that they have limited availability. The databases require specific hardware (DC-series) that are not supported by all Azure SQL Database service tiers and regions. Let us know if you need a region to be enabled where we currently do not support DC-series. Secondly, DC-series comes with an extra cost because of the specific hardware that is needed which is limited to a maximum of 40 physical cores.

The main advantage of VBS enclaves is that they have wider availability than Intel SGX enclaves because we don’t have the hardware dependency. VBS enclaves can run on any Azure SQL Database service tier in any region and comes with no extra cost.
The main disadvantage of VBS enclaves is that they provide weaker security guarantees than Intel SGX enclaves. VBS enclaves help protect your data from attacks inside the VM. However, they don't provide any protection from attacks using privileged system accounts originating from the host.


Below is a summary comparison of Intel SGX and VBS enclaves:


Intel Software Guard eXtensions (SGX)

Virtualization-based security (VBS)


Available in DC-series hardware configuration

No hardware dependency

Purchasing model

vCore model

DTU and vCore

Compute mode


Provisioned and serverless

Compute size

Up to 40 (physical) vCores

Any (up to 128 vCores)

Regional availability

Regional availability: East/West US,

North/West EU, Canada Central, UK South, Southeast Asia

All Azure regions


Protection from rogue customer’s DBAs

Protection from rogue customer’s DBAs

Protection from attacks originating from both guest and host OS (rogue cloud operators, malware)

Protection from attacks originating from guest OS (rogue cloud operators, malware), but not host OS

Attestation using Microsoft Azure Attestation

No attestation currently supported


How to choose between Intel SGX and VBX enclaves?

The choice between Intel SGX enclaves and VBS enclaves depends on your security requirements. Think about who you want to protect your data for. Do you want to protect your data from malicious insiders or do you also want to protect your data from the host provider. If you need the highest level of security, you should use Intel SGX enclaves.
The table below can help you with that decision.



Attack method

Always Encrypted with Intel SGX enclaves

Always Encrypted with VBS enclaves

DBAs connecting over TDS

Querying encrypted columns without access to the encryption keys



VM (guest OS) administrators

Generating a memory dump of the SQL Server process or scanning its memory



Data center/host administrators

Generating a memory dump of the host server




If needed, you can always switch the enclave type by changing the SLO of the database. In general, there are no changes needed in the application if you switch from VBS to Intel SGX or the other way around.



Unlike Intel SGX, VBS is a software-based solution with no hardware dependency. This allows us to bring the benefits of Always Encrypted with secure enclaves to all Azure SQL Database offerings, so that you can use the feature with a compute tier (provisioned or serverless), a purchasing model (vCore or DTU), a compute size (currently, up to 128 vCores), and a region that best matches your workload requirements. And, since VBS enclaves are available in existing hardware offerings, they come with no extra cost. It is important to note that Intel SGX enclaves remain a recommended option for customers who seek the strongest level of protection, including the isolation from host OS administrators, which VBS enclaves do not provide.


Learn more


Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.