Database Encryption

[bcg at struxural.com (Ben Greenfield)]

I believe that TDE (Transparent Database Encryption) does not actually
provide cell level encryption.  Rather, it encrypts the entire
database using PKI.

As far as I'm aware, there are really only three ways to encrypt a
database: at the operating system level (i.e. Encrypting File System
(EFS) and BitLocker in Windows Server), at the application (database
cell/column) level, and at the SQL server level (Transparent Data
Encryption).

SQL server level encryption protects the entire database, not just
specific columns, as well as the database backups.  This feature is
known as Transparent Data Encryption (TDE), and  is only available in
the Enterprise version of SQL Server 2008, and recent versions of
Oracle (since 10g I believe).  MySQL does not natively support TDE,
although third party add-ons and appliances are available that do
support it.  The big advantage to TDE versus the other options is that
TDE can be enabled without any code changes.  Moving to TDE is a major
choice which will likely have performance costs, and definitely
requires that the certificates used get securely backed up.

Another option is to encrypt individual database cells and columns,
rather than the entire database.  However, this option would require
code changes.  You would specify which columns you want to encrypt
within code, and call ENCRYPTBYKEY and DECRYPTBYKEY (in Microsoft SQL
Server) to selectively work with the data.  This feature has been
available since SQL Server 2005, and does not require the enterprise
edition of SQL Server 2008.  This is one option that you can consider.

Yet another choice is to utilize an encrypted file system.  This
provides a similar degree of security to TDE while the data is at
rest, and coupled with strong file system permissions and application
level encryption can definitely be considered a secure solution.

It's also worth keeping in mind that no encryption technology is a
silver bullet, and that all three types methods could be used
simultaneously for a complimentary effect.

For additional information on database encryption in SQL Server, you
can refer to:
http://msdn.microsoft.com/en-us/library/cc278098.aspx
http://msdn.microsoft.com/en-us/library/bb934049.aspx


Hope that's helpful,
Thanks,

On Tue, May 25, 2010 at 6:27 PM, Raffi Jamgotchian
<raffi at flossyourmind.com> wrote:
> FDE would only be useful if there is fear the physical media is stollen
> (local db replica or backup device for example). I would tak to Rich Mogull
>
> On May 25, 2010 11:04 AM, "John Hoyt" <john.h.hoyt at gmail.com> wrote:
>
> Does anyone have experience with database (row/record) encryption?? I'm
> looking at Oracle TDE and other competitor solutions.
>
> Some of the main points I'm interested in are:
>
> Performance
> Key management
> Backups
> Comparison against full-disk encryption
>
> Thanks for any help,
> John
>
>
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com



-- 
--
Benjamin C. Greenfield, CISSP

bcg [at] struxural.com

Domains and Hosting for Less from Struxural:
http://www.struxural.com