As you know, we can create “Column Master Key” & “Column Encryption Key” to encrypt the column values. You can check here to learn about key creation. Usually these keys are associated with the certificate which includes the details like,
Issued To, Issued By, Expiration Date, Thumbprint & etc.
In Always encryption, we have four different Key store options are available which helps us to secure our keys. These keys are associated with the table columns. We can decrypt the values using these keys so we need to make sure to secure the keys.
Widows Certificate Store – Current User
This type of certificate store is local to current user on the computer. This is located in the registry of the computer, specifically on HKEY_CURRENT_USER root
We need to compare the current user certificate store with local machine certificate store. Current user certificate always inherit the content of the local machine certificate.
We can generate the certificate by our self and that will be available for one year and we can use that to encrypt the column values.
T-SQL Statement to create a master key, we can select the certificate (Thumbprint) which I highlighted.
Windows Certificate Store – Local Machine
This will be available on the computer which is global to all users on the computer. This is located under HKEY_LOCAL_MACHINE registry.
This will list out all the available certificates in your computer and choose for encryption.
Azure Key Vault
This should be used to safeguard the keys in cloud (Azure). It requires a Azure subscription.
Key Storage Provider (CNG)
It provides different providers,
We can choose any of the above provider, for more information about the algorithm, key length & etc., check Microsoft article here.