Always Encrypted is a feature designed to protect sensitive data, stored in Azure SQL Database or SQL Server databases. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the Database Engine (SQL Database or SQL Server). If a database has Always Encrypted enabled then it has at least one Column Encryption Key (CEK) with can be found in the sys.column_encryption_key_values system catalog view. If you run this query select column_encryption_key_id, column_master_key_id, encryption_algorithm_name, encrypted_value from sys.column_encryption_key_values It returns something like that The encrypted_value column is a CEK - random-generated key encrypted with the Master Encryption Key (MEK) which is stored in an Azure Key Vault. To see the master encryption key details use this query select name, column_master_key_id, key_store_provider_name, key_path from sys.column_master_keys the output would look like this The m