Make Encrypt option explicit in connection string samples

David-Engel · David-Engel · commit f30d3eef27ff · 2022-09-16T14:40:17.000-07:00
diff --git a/docs/connect/odbc/linux-mac/connection-string-keywords-and-data-source-names-dsns.md b/docs/connect/odbc/linux-mac/connection-string-keywords-and-data-source-names-dsns.md
@@ -36,9 +36,10 @@ DSNs are optional. You can use a DSN to define connection string keywords under
 ```ini
 # [DSN name]
 [MSSQLTest]  
-Driver = ODBC Driver 17 for SQL Server  
+Driver = ODBC Driver 18 for SQL Server  
 # Server = [protocol:]server[,port]  
 Server = tcp:localhost,1433
+Encrypt = yes
 #
 # Note:  
 # Port isn't a valid keyword in the odbc.ini file  
@@ -47,7 +48,7 @@ Server = tcp:localhost,1433
 ```  
 
 To connect using the above DSN in a connection string, you would specify the `DSN` keyword like: `DSN=MSSQLTest;UID=my_username;PWD=my_password`  
-The above connection string would be the equivalent of specifying a connection string without the `DSN` keyword like: `Driver=ODBC Driver 17 for SQL Server;Server=tcp:localhost,1433;UID=my_username;PWD=my_password`
+The above connection string would be the equivalent of specifying a connection string without the `DSN` keyword like: `Driver=ODBC Driver 18 for SQL Server;Server=tcp:localhost,1433;Encrypt=yes;UID=my_username;PWD=my_password`
 
 You can optionally specify the protocol and port to connect to the server. For example, **Server=tcp:**_servername_**,12345**. The only protocol supported by the Linux and macOS drivers is `tcp`.
 
@@ -112,7 +113,7 @@ When using connection encryption, the name (or IP address) in a Subject Common N
 By default, encrypted connections always verify the server's certificate. However, if you connect to a server that has a self-signed certificate, and aren't using strict encryption mode, you can add the `TrustServerCertificate` option to bypass checking the certificate against the list of trusted certificate authorities:  
 
 ```ini
-Driver={ODBC Driver 17 for SQL Server};Server=ServerNameHere;Encrypt=YES;TrustServerCertificate=YES  
+Driver={ODBC Driver 18 for SQL Server};Server=ServerNameHere;Encrypt=YES;TrustServerCertificate=YES  
 ```
 
 In strict encryption mode, the certificate is always verified. As an option to standard certificate validation, the `ServerCertificate` keyword (v18.1+) can be used to specify the path to a certificate file to match against the SQL Server certificate. This option is only available when using strict encryption. The accepted certificate formats are PEM, DER, and CER. If specified, the SQL Server certificate is checked by seeing if the `ServerCertificate` provided is an exact match.<br/><br/>
diff --git a/docs/connect/odbc/linux-mac/known-issues-in-this-version-of-the-driver.md b/docs/connect/odbc/linux-mac/known-issues-in-this-version-of-the-driver.md
@@ -52,7 +52,7 @@ If you get another connection failure and don't see a log file, there (possibly)
         Entry:
             Connection = 0x17c858e0
             Window Hdl = (nil)
-            Str In = [DRIVER={ODBC Driver 17 for SQL Server};SERVER={contoso.com};Trusted_Connection={YES};WSID={mydb.contoso.com};AP...][length = 139 (SQL_NTS)]
+            Str In = [DRIVER={ODBC Driver 18 for SQL Server};SERVER={contoso.com};Trusted_Connection={YES};WSID={mydb.contoso.com};AP...][length = 139 (SQL_NTS)]
             Str Out = (nil)
             Str Out Max = 0
             Str Out Ptr = (nil)
diff --git a/docs/connect/odbc/linux-mac/using-integrated-authentication.md b/docs/connect/odbc/linux-mac/using-integrated-authentication.md
@@ -22,7 +22,7 @@ As of version 17.6, the driver also supports integrated authentication with Azur
 You can enable Kerberos integrated authentication by specifying **Trusted_Connection=yes** in the connection string of **SQLDriverConnect** or **SQLConnect**. For example:  
 
 ```
-Driver='ODBC Driver 17 for SQL Server';Server=your_server;Trusted_Connection=yes  
+Driver='ODBC Driver 18 for SQL Server';Server=your_server;Encrypt=yes;Trusted_Connection=yes  
 ```
   
 When connecting with a DSN, you can also add **Trusted_Connection=yes** to the DSN entry in `odbc.ini`.
diff --git a/docs/connect/odbc/using-always-encrypted-with-the-odbc-driver.md b/docs/connect/odbc/using-always-encrypted-with-the-odbc-driver.md
@@ -36,7 +36,7 @@ If you're using Always Encrypted with secure enclaves, see [Develop applications
 The easiest way to enable both parameter encryption and resultset encrypted column decryption is by setting the value of the `ColumnEncryption` connection string keyword to **Enabled**. The following code is an example of a connection string that enables Always Encrypted:
 
 ```cpp
-SQLWCHAR *connString = L"Driver={ODBC Driver 17 for SQL Server};Server={myServer};Trusted_Connection=yes;ColumnEncryption=Enabled;";
+SQLWCHAR *connString = L"Driver={ODBC Driver 18 for SQL Server};Server={myServer};Encrypt=yes;Trusted_Connection=yes;ColumnEncryption=Enabled;";
 ```
 
 Always Encrypted may also be enabled in the DSN configuration, using the same key and value (which will be overridden by the connection string setting, if present), or programmatically with the `SQL_COPT_SS_COLUMN_ENCRYPTION` pre-connection attribute. Setting it this way overrides the value set in the connection string or DSN:
@@ -77,19 +77,19 @@ Examples of connection strings enabling enclave computations for a database conn
 - [!INCLUDE[ssnoversion-md](../../includes/ssnoversion-md.md)]:
   
    ```cpp
-   "Driver=ODBC Driver 17 for SQL Server;Server=myServer.myDomain;Database=myDataBase;Trusted_Connection=Yes;ColumnEncryption=VBS-HGS,http://myHGSServer.myDomain/Attestation"
+   "Driver=ODBC Driver 18 for SQL Server;Server=myServer.myDomain;Encrypt=yes;Database=myDataBase;Trusted_Connection=Yes;ColumnEncryption=VBS-HGS,http://myHGSServer.myDomain/Attestation"
    ```
 
 - [!INCLUDE[ssSDSfull](../../includes/sssdsfull-md.md)]:
   
    ```cpp
-   "Driver=ODBC Driver 17 for SQL Server;Server=myServer.database.windows.net;Database=myDataBase;Uid=myUsername;Pwd=myPassword;Encrypt=yes;ColumnEncryption=SGX-AAS,https://myAttestationProvider.uks.attest.azure.net/"
+   "Driver=ODBC Driver 18 for SQL Server;Server=myServer.database.windows.net;Database=myDataBase;Uid=myUsername;Pwd=myPassword;Encrypt=yes;ColumnEncryption=SGX-AAS,https://myAttestationProvider.uks.attest.azure.net/"
    ```
 
 - No attestation (v18.1+):
   
    ```cpp
-   "Driver=ODBC Driver 17 for SQL Server;Server=myServer.database.windows.net;Database=myDataBase;Uid=myUsername;Pwd=myPassword;Encrypt=yes;ColumnEncryption=VBS-NONE"
+   "Driver=ODBC Driver 18 for SQL Server;Server=myServer.database.windows.net;Database=myDataBase;Uid=myUsername;Pwd=myPassword;Encrypt=yes;ColumnEncryption=VBS-NONE"
    ```
 
 If the server and attestation service are configured correctly along with enclave-enabled CMKs and CEKs for the encrypted columns, you can execute queries that use the enclave such as in-place encryption and rich computations, in addition to the existing functionality provided by Always Encrypted. For more information, see [Configure Always Encrypted with secure enclaves](../../relational-databases/security/encryption/configure-always-encrypted-enclaves.md).
@@ -483,31 +483,31 @@ The following connection strings show how to authenticate to Azure Key Vault wit
 ##### ClientID/Secret
 
 ```cpp
-"DRIVER=ODBC Driver 17 for SQL Server;SERVER=myServer;Trusted_Connection=Yes;DATABASE=myDB;ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultClientSecret;KeyStorePrincipalId=<clientId>;KeyStoreSecret=<secret>"
+"DRIVER=ODBC Driver 18 for SQL Server;SERVER=myServer;Encrypt=yes;Trusted_Connection=Yes;DATABASE=myDB;ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultClientSecret;KeyStorePrincipalId=<clientId>;KeyStoreSecret=<secret>"
 ```
 
 ##### Username/Password
 
 ```cpp
-"DRIVER=ODBC Driver 17 for SQL Server;SERVER=myServer;Trusted_Connection=Yes;DATABASE=myDB;ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultPassword;KeyStorePrincipalId=<username>;KeyStoreSecret=<password>"
+"DRIVER=ODBC Driver 18 for SQL Server;SERVER=myServer;Encrypt=yes;Trusted_Connection=Yes;DATABASE=myDB;ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultPassword;KeyStorePrincipalId=<username>;KeyStoreSecret=<password>"
 ```
 
 ##### Managed Identity (system-assigned)
 
 ```cpp
-"DRIVER=ODBC Driver 17 for SQL Server;SERVER=myServer;Trusted_Connection=Yes;DATABASE=myDB;ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultManagedIdentity"
+"DRIVER=ODBC Driver 18 for SQL Server;SERVER=myServer;Encrypt=yes;Trusted_Connection=Yes;DATABASE=myDB;ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultManagedIdentity"
 ```
 
 ##### Managed Identity (user-assigned)
 
 ```cpp
-"DRIVER=ODBC Driver 17 for SQL Server;SERVER=myServer;Trusted_Connection=Yes;DATABASE=myDB;ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultManagedIdentity;KeyStorePrincipalId=<objectID>"
+"DRIVER=ODBC Driver 18 for SQL Server;SERVER=myServer;Encrypt=yes;Trusted_Connection=Yes;DATABASE=myDB;ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultManagedIdentity;KeyStorePrincipalId=<objectID>"
 ```
 
 ##### AKV Interactive
 
 ```cpp
-"DRIVER=ODBC Driver 17 for SQL Server;SERVER=myServer;Trusted_Connection=Yes;DATABASE=myDB;ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultInteractive;UID=<userID>;PWD=<password>"
+"DRIVER=ODBC Driver 18 for SQL Server;SERVER=myServer;Encrypt=yes;Trusted_Connection=Yes;DATABASE=myDB;ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultInteractive;UID=<userID>;PWD=<password>"
 ```
 
 No other ODBC application changes are required to use AKV for CMK storage.
diff --git a/docs/connect/odbc/using-azure-active-directory.md b/docs/connect/odbc/using-azure-active-directory.md
@@ -94,27 +94,27 @@ These options correspond to the same six available in the DSN setup UI above.
 ### Example connection strings
 
 1. SQL Server Authentication - legacy syntax. Server certificate isn't validated, and encryption is used only if the server enforces it. The username/password is passed in the connection string.
-`server=Server;database=Database;UID=UserName;PWD=Password;`
+`server=Server;database=Database;UID=UserName;PWD=Password;Encrypt=no;TrustServerCertificate=yes;`
 2. SQL Authentication - new syntax. The client requests encryption (the default value of `Encrypt` is `true`) and the server certificate gets validated, whatever the encryption setting (unless `TrustServerCertificate` is set to `true`). The username/password is passed in the connection string.
  `server=Server;database=Database;UID=UserName;PWD=Password;Authentication=SqlPassword;`
-3. Integrated Windows Authentication (Kerberos on Linux and macOS) using SSPI (to SQL Server or SQL IaaS) - current syntax. Server certificate isn't validated, unless encryption is used.
-`server=Server;database=Database;Trusted_Connection=yes;`
+3. Integrated Windows Authentication (Kerberos on Linux and macOS) using SSPI (to SQL Server or SQL IaaS) - current syntax. Server certificate isn't validated, unless encryption is required by the server.
+`server=Server;database=Database;Trusted_Connection=yes;Encrypt=no;`
 4. (_Windows driver only_.) Integrated Windows Authentication using SSPI (if the target database is in SQL Server or SQL IaaS) - new syntax. The client requests encryption (the default value of `Encrypt` is `true`) and the server certificate gets validated, whatever the encryption setting (unless `TrustServerCertificate` is set to `true`).
 `server=Server;database=Database;Authentication=ActiveDirectoryIntegrated;`
 5. Azure Active Directory Username/Password Authentication (if the target database is in Azure SQL Database). Server certificate gets validated, whatever the encryption setting (unless `TrustServerCertificate` is set to `true`). The username/password is passed in the connection string.
-`server=Server;database=Database;UID=UserName;PWD=Password;Authentication=ActiveDirectoryPassword;`
+`server=Server;database=Database;UID=UserName;PWD=Password;Authentication=ActiveDirectoryPassword;Encrypt=yes;`
 6. (_Windows, and Linux/macOS 17.6+, driver only_.) Integrated Windows Authentication using ADAL or Kerberos, which involves redeeming Windows account credentials for an Azure AD-issued access token, assuming the target database is in Azure SQL Database. Server certificate gets validated, whatever the encryption setting (unless `TrustServerCertificate` is set to `true`). On Linux/macOS, a suitable Kerberos ticket needs to be available. For more information, see the section below on Federated Accounts and [Using Integrated Authentication](linux-mac/using-integrated-authentication.md).
-`server=Server;database=Database;Authentication=ActiveDirectoryIntegrated;`
+`server=Server;database=Database;Authentication=ActiveDirectoryIntegrated;Encrypt=yes;`
 7. (_Windows driver only_.) Azure AD Interactive Authentication uses Azure Active Directory Multi-Factor Authentication technology to set up connection. In this mode, by providing the login ID, an Azure Authentication dialog is triggered and allows the user to input the password to complete the connection. The username is passed in the connection string.
-`server=Server;database=Database;UID=UserName;Authentication=ActiveDirectoryInteractive;`
+`server=Server;database=Database;UID=UserName;Authentication=ActiveDirectoryInteractive;Encrypt=yes;`
 ![Windows Azure Authentication UI when using Active Directory Interactive authentication.](windows/WindowsAzureAuth.png)
 8. Azure Active Directory Managed Identity Authentication uses system-assigned or user-assigned identity for authentication to set up connection. For user-assigned identity, UID is set to the object ID of the user identity.<br>
 For system-assigned identity,<br>
-`server=Server;database=Database;Authentication=ActiveDirectoryMsi;`<br>
+`server=Server;database=Database;Authentication=ActiveDirectoryMsi;Encrypt=yes;`<br>
 For user-assigned identity with object ID equals to myObjectId,<br>
-`server=Server;database=Database;UID=myObjectId;Authentication=ActiveDirectoryMsi;`
+`server=Server;database=Database;UID=myObjectId;Authentication=ActiveDirectoryMsi;Encrypt=yes;`
 9. Azure Active Directory Service Principal Authentication
-`server=Server;database=Database;UID=clientId;PWD=clientSecret;Authentication=ActiveDirectoryServicePrincipal;`
+`server=Server;database=Database;UID=clientId;PWD=clientSecret;Authentication=ActiveDirectoryServicePrincipal;Encrypt=yes;`
 
 > [!NOTE]
 >
@@ -149,7 +149,7 @@ The following sample shows the code required to connect to SQL Server using Azur
 
 ```cpp
     ...
-    SQLCHAR connString[] = "Driver={ODBC Driver 17 for SQL Server};Server={server};UID=myuser;PWD=myPass;Authentication=ActiveDirectoryPassword"
+    SQLCHAR connString[] = "Driver={ODBC Driver 18 for SQL Server};Server={server};UID=myuser;PWD=myPass;Authentication=ActiveDirectoryPassword;Encrypt=yes;"
     ...
     SQLDriverConnect(hDbc, NULL, connString, SQL_NTS, NULL, 0, NULL, SQL_DRIVER_NOPROMPT);
     ...
@@ -158,7 +158,7 @@ The following sample shows the code required to connect to SQL Server using Azur
 The following sample shows the code required to connect to SQL Server using Azure Active Directory with access token authentication. In this case, it's necessary to modify application code to process the access token and set the associated connection attribute.
 
 ```cpp
-    SQLCHAR connString[] = "Driver={ODBC Driver 17 for SQL Server};Server={server}"
+    SQLCHAR connString[] = "Driver={ODBC Driver 18 for SQL Server};Server={server};Encrypt=yes;"
     SQLCHAR accessToken[] = "eyJ0eXAiOi..."; // In the format extracted from an OAuth JSON response
     ...
     DWORD dataSize = 2 * strlen(accessToken);
@@ -179,17 +179,17 @@ The following sample shows the code required to connect to SQL Server using Azur
 The following sample connection string is for use with Azure Active Directory Interactive Authentication. It doesn't contain PWD field as the password would be entered on the Azure Authentication screen.
 
 ```cpp
-SQLCHAR connString[] = "Driver={ODBC Driver 17 for SQL Server};Server={server};UID=myuser;Authentication=ActiveDirectoryInteractive"
+SQLCHAR connString[] = "Driver={ODBC Driver 18 for SQL Server};Server={server};UID=myuser;Authentication=ActiveDirectoryInteractive;Encrypt=yes;"
 ```
 
 The following sample connection string is for use with Azure Active Directory Managed Identity Authentication. UID is set to the object ID of the user identity when using a user-assigned identity.
 
 ```cpp
 // For system-assigned identity,
-SQLCHAR connString[] = "Driver={ODBC Driver 17 for SQL Server};Server={server};Authentication=ActiveDirectoryMsi"
+SQLCHAR connString[] = "Driver={ODBC Driver 18 for SQL Server};Server={server};Authentication=ActiveDirectoryMsi;Encrypt=yes;"
 ...
 // For user-assigned identity with object ID equals to myObjectId
-SQLCHAR connString[] = "Driver={ODBC Driver 17 for SQL Server};Server={server};UID=myObjectId;Authentication=ActiveDirectoryMsi"
+SQLCHAR connString[] = "Driver={ODBC Driver 18 for SQL Server};Server={server};UID=myObjectId;Authentication=ActiveDirectoryMsi;Encrypt=yes;"
 ```
 
 ## Considerations for using ADFS Federated Accounts on Linux/macOS
diff --git a/docs/connect/odbc/windows/asynchronous-execution-notification-method-sample.md b/docs/connect/odbc/windows/asynchronous-execution-notification-method-sample.md
@@ -308,7 +308,7 @@ int _tmain(int argc, _TCHAR* argv[])
     for(int i = 0; i < g_nConnection; i++)  
     {  
         SQLDriverConnect(g_hDbcs[i],NULL,
-            (SQLCHAR*)"DRIVER={ODBC Driver 17 for SQL Server};Server=your_server;database=your_database;uid=usr;pwd=your_password",
+            (SQLCHAR*)"DRIVER={ODBC Driver 18 for SQL Server};Server=your_server;Encrypt=yes;database=your_database;uid=usr;pwd=your_password",
             SQL_NTS, (SQLCHAR*)g_connOut[i].szOutConnectionString, 500, &g_connOut[i].iLen, SQL_DRIVER_NOPROMPT);  
     }
 
diff --git a/docs/connect/php/always-encrypted-secure-enclaves.md b/docs/connect/php/always-encrypted-secure-enclaves.md
@@ -237,7 +237,7 @@ function getResults($stmt)
 <?php
 // Specify Azure Key Vault credentials using the KeyStoreAuthentication, KeyStorePrincipalId, and KeyStoreSecret keywords
 // Otherwise, the local Windows Certificate Store will be used
-$options = "sqlsrv:server=$myServer;database=$myDatabase;driver={ODBC Driver 17 for SQL Server};";
+$options = "sqlsrv:server=$myServer;database=$myDatabase;driver={ODBC Driver 18 for SQL Server};";
 $options .= "ColumnEncryption=VBS-HGS,http://myattestationserver.mydomain/Attestation",
 
 $conn = new PDO($options, $myUsername, $myPassword);
diff --git a/docs/connect/python/pyodbc/step-3-proof-of-concept-connecting-to-sql-using-pyodbc.md b/docs/connect/python/pyodbc/step-3-proof-of-concept-connecting-to-sql-using-pyodbc.md
@@ -74,7 +74,7 @@ This interactive option works if Python and pyODBC permit the ODBC driver to dis
 
 The following example provides an ODBC connection string that specifies Azure Active Directory interactive authentication:
 
-`server=Server;database=Database;UID=UserName;Authentication=ActiveDirectoryInteractive;`
+`server=Server;database=Database;UID=UserName;Authentication=ActiveDirectoryInteractive;Encrypt=yes;`
 
 For more information about the authentication options of the ODBC driver, see [Using Azure Active Directory with the ODBC Driver](../../odbc/using-azure-active-directory.md#new-andor-modified-dsn-and-connection-string-keywords).
 

Original file line number	Diff line number	Diff line change
`@@ -308,7 +308,7 @@ int _tmain(int argc, _TCHAR* argv[])`
`308`	`308`	`for(int i = 0; i < g_nConnection; i++)`
`309`	`309`	`{`
`310`	`310`	`SQLDriverConnect(g_hDbcs[i],NULL,`
`311`		`- (SQLCHAR*)"DRIVER={ODBC Driver 17 for SQL Server};Server=your_server;database=your_database;uid=usr;pwd=your_password",`
	`311`	`+ (SQLCHAR*)"DRIVER={ODBC Driver 18 for SQL Server};Server=your_server;Encrypt=yes;database=your_database;uid=usr;pwd=your_password",`
`312`	`312`	`SQL_NTS, (SQLCHAR*)g_connOut[i].szOutConnectionString, 500, &g_connOut[i].iLen, SQL_DRIVER_NOPROMPT);`
`313`	`313`	`}`
`314`	`314`