Always Encrypted is a feature designed to protect sensitive data (such as credit card numbers) that are stored in Azure SQL Database. It ensures that sensitive data is encrypted and decrypted inside client applications or application servers by using keys that are never revealed to Azure SQL Database. As a result, even database administrators, other high privilege users, or attackers gaining illegal access to Azure SQL Database, are not able access the data.
Always Encrypted makes encryption transparent to client applications. A SQL client driver (such as ADO.NET in .NET 4.6) that is enabled with Always Encrypted transparently encrypts the data that corresponds to sensitive columns before it passes the data to the database. It automatically rewrites queries so that the semantics to the application are preserved. Similarly, the driver transparently decrypts the data retrieved from encrypted database columns, and returns plain text values to the application.
For more information about Always Encrypted, see: