Always Encrypted
Always Encrypted protects sensitive
data by encrypting it. The data is not decrypted (or encrypted) on the Server. These operations take place on the client's machine. Thus, even a
DBA or system engineer with full admin rights to the Server machine cannot see the sensitive data in plain text (for example by scanning the memory or harddisks on the server).
If a user cannot provide the key when querying encrypted data, he/she will either see encrypted data or the query will fail, depending on the database connection properties.
Because of the nature of encrypted data, Always Encrypted comes with a severe limitation: Data can only be compared for equality (and only if deterministic encryptions was chosen).
Always Encrypted was introduced with SQL Server 2016.
Secure enclave (SQL Server 2019)
Secure enclave is a technology that addresses the data-comparison-limitation of Always Encrypted.
Such a secure enclave is a protected region of memory within the SQL Server process where sensitive data can be processed securly because it cannot be accessed from SQL Server (although the secure enclave is contained in SQL Server).
Secure enclaves require Virtualization-Based security (VBS) (aka Virtual Secure Mode, VSM), which is available in Windows Server 2019 or Windows 10 (build 17704 or later).