PaulDotCom mailing list archives
Database Encryption
From: bcg at struxural.com (Ben Greenfield)
Date: Wed, 26 May 2010 09:34:24 -0400
I believe that TDE (Transparent Database Encryption) does not actually provide cell level encryption. Rather, it encrypts the entire database using PKI. As far as I'm aware, there are really only three ways to encrypt a database: at the operating system level (i.e. Encrypting File System (EFS) and BitLocker in Windows Server), at the application (database cell/column) level, and at the SQL server level (Transparent Data Encryption). SQL server level encryption protects the entire database, not just specific columns, as well as the database backups. This feature is known as Transparent Data Encryption (TDE), and is only available in the Enterprise version of SQL Server 2008, and recent versions of Oracle (since 10g I believe). MySQL does not natively support TDE, although third party add-ons and appliances are available that do support it. The big advantage to TDE versus the other options is that TDE can be enabled without any code changes. Moving to TDE is a major choice which will likely have performance costs, and definitely requires that the certificates used get securely backed up. Another option is to encrypt individual database cells and columns, rather than the entire database. However, this option would require code changes. You would specify which columns you want to encrypt within code, and call ENCRYPTBYKEY and DECRYPTBYKEY (in Microsoft SQL Server) to selectively work with the data. This feature has been available since SQL Server 2005, and does not require the enterprise edition of SQL Server 2008. This is one option that you can consider. Yet another choice is to utilize an encrypted file system. This provides a similar degree of security to TDE while the data is at rest, and coupled with strong file system permissions and application level encryption can definitely be considered a secure solution. It's also worth keeping in mind that no encryption technology is a silver bullet, and that all three types methods could be used simultaneously for a complimentary effect. For additional information on database encryption in SQL Server, you can refer to: http://msdn.microsoft.com/en-us/library/cc278098.aspx http://msdn.microsoft.com/en-us/library/bb934049.aspx Hope that's helpful, Thanks, On Tue, May 25, 2010 at 6:27 PM, Raffi Jamgotchian <raffi at flossyourmind.com> wrote:
FDE would only be useful if there is fear the physical media is stollen (local db replica or backup device for example). I would tak to Rich Mogull On May 25, 2010 11:04 AM, "John Hoyt" <john.h.hoyt at gmail.com> wrote: Does anyone have experience with database (row/record) encryption?? I'm looking at Oracle TDE and other competitor solutions. Some of the main points I'm interested in are: Performance Key management Backups Comparison against full-disk encryption Thanks for any help, John _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- -- Benjamin C. Greenfield, CISSP bcg [at] struxural.com Domains and Hosting for Less from Struxural: http://www.struxural.com
Current thread:
- Database Encryption John Hoyt (May 25)
- Database Encryption Raffi Jamgotchian (May 25)
- Database Encryption Ben Greenfield (May 26)
- Database Encryption Jim Halfpenny (May 26)
- Database Encryption Ralph Durkee (May 26)
- <Possible follow-ups>
- Database Encryption Robert Wahl (May 26)
- Database Encryption John Hoyt (May 27)
- Database Encryption Michael McGrew (May 27)
- Database Encryption John Hoyt (May 27)
- Database Encryption Raffi Jamgotchian (May 25)