sql-server - Retrieving encrypted column 'xxx' with CommandBehavior=SequentialAccess is not supported

Question

I have setup a Azure SQL Database and enabled Always Encrypted.

One of the column (column3) is varchar(Max).

When I query the database from SSMS without using "column encryption setting=enabled", I can see that all the columns have binary data.

When I query the database from SSMS using "column encryption setting=enabled", I am getting an error as below:

An error occurred while executing batch. Error message is: Retrieving encrypted column 'column3' with CommandBehavior=SequentialAccess is not supported.

This is what my table definition looks like:

CREATE TABLE [dbo].[mytable](
    [column1] [varchar](2000) ENCRYPTED WITH (COLUMN_ENCRYPTION_KEY = [CEK_Auto1], ENCRYPTION_TYPE = Deterministic, ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256') NULL,
    [column2] [datetime] ENCRYPTED WITH (COLUMN_ENCRYPTION_KEY = [CEK_Auto1], ENCRYPTION_TYPE = Deterministic, ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256') NULL,
    [column3] [varchar](max) ENCRYPTED WITH (COLUMN_ENCRYPTION_KEY = [CEK_Auto1], ENCRYPTION_TYPE = Deterministic, ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256') NULL
)

If I remove the encryption on column3, everything works fine and I can see decrypted values.

Am I missing something here?

score 2 · Accepted Answer

来自 Always Encrypted 团队的开发人员在这里。

SQL Server 和 Azure SQL DB 不允许从 SSMS 查询具有“列加密设置=启用”的 VARCHAR(MAX) 列，因为 SSMS 使用顺序访问来流式传输可能较大的 varchar(MAX) 值。SSMS 通过设计强制执行此选择，因为它提供了一种机制来查询大对象中的部分字节位置（从而避免将整个大 blob 存储在内存中）。但是，相比之下，Always Encrypted 不允许对加密列进行部分解密。这种限制源于我们使用分组密码并将 HMAC 存储在加密单元中的事实，如果没有完整的单元值，我们将无法验证 HMAC 并解密数据。

作为替代方案，您可以从 ADO.Net 客户端（不使用 SequentialAccess）查询具有“列加密设置 = 启用”的 varchar(max)。

score 0 · Accepted Answer

此问题已在 2016 年 8 月发布的 SSMS 16.3 中修复。您现在可以查询和解密 varchar(max) 和其他 LOB 列。

sql-server - Retrieving encrypted column 'xxx' with CommandBehavior=SequentialAccess is not supported

2 回答 2

Related

Reference