What is database encryption?
Database encryption is the process of transforming data – that has been stored in a database, and in plain text format – into a ciphertext with the help of a suitable algorithm known as a “key.” This way, the only option available to decipher and use the data will be with the help of this encryption key.
Only have time for a quick glance at the tools? Here is our summary list of the best database encryption tools:
- IBM Guardium for File and Database Encryption Provides full visibility while encrypting and decrypting structured or unstructured data with good levels of automation and scalability.
- Vormetric Transparent Encryption Hardware-accelerated encryption solution using data-at-rest encryption with centralized key management, privileged user access control and more.
- McAfee Complete Data Protection—Advanced Endpoint encryption solution for data-at-rest and data-in-motion with access control, and user-behavior monitoring.
- DbDefence for Microsoft SQL With data masking techniques for database tables provides extra protection, bespoke SQL database encryption.
- BitLocker The ‘go-to’ encryption solution for Microsoft Windows-based systems designed to provide powerful encryption to whole volumes.
Why do we need database encryption?
The term “encryption” represents the conversion of data into a secure format that can only be read using a decryption key. The whole purpose is to ensure that only authorized persons or applications can access and work with the data. In a world that has become all too familiar with breaches and hacks, data owners have come to seek ways to keep their data secure. The software industry heeded this call and came up with solutions where their clients’ data is encrypted in three major ways:
- Full-drive encryption – encryption of drives as a whole and where everything that is stored on them is ciphered. Major operating systems like Linux and Windows Server come with features that allow for full-disk encryption that can then only be accessed using a password. This password needs to be entered at boot time so that even the operating system itself can gain access to data on it. Any application that then runs on the server doesn’t require access to the password as the operating system handles its access transparently.
- Partial system encryption – file-system-only encryption that ciphers a specific folder or data file which can then be accessed by only using a password. This method is similar to the previous encryption method as here too, once the operating system confirms the right password, any applications that need to work with the data will do so transparently. The drawback here is that human error could result in sensitive data being stored in unencrypted file storage spaces or systems.
- Database encryption – data security that converts data stored in databases into undecipherable garbage that makes no sense without a password. Here the password need only be inserted when the database is being accessed and not when the whole system starts up. In this case, should there be unauthorized access to the disk – even if it were physically removed – the culprits wouldn’t be able to access the data that is in the encrypted databases.
Since we have mentioned “transparency” a couple of times in the encryption types above, it becomes necessary to look into the definition of the concept in detail:
What is Transparent Database Encryption (TDE)?
Transparent Data encryption (TDE) is an encryption technology that is used by the larger database software companies like Microsoft, IBM, and Oracle. They have made this technology a part of the data security feature for a number of their database solutions. Image source
TDE is database-level encryption that works to cipher data at rest – meaning when the data is not being accessed, changed or in motion over a network – by encoding the structure of the database and not the data itself. This way, even if a disk is stolen, the database on it can’t be accessed without the original encryption certificate and master key.
TDE doesn’t require any application changes in code or otherwise when authorized users access the data, hence the “transparent” in the name. Programmers or any applications don’t need to create macros or update complex configurations to use the data. Once they are authorized, the operating system does the decryption and opens up the database for access to data in it.
This also means authorized users and applications don’t need to create auxiliary tables, triggers, or views to decrypt data that is encrypted using TDE.
The best database encryption tools
What should you look for in a database encryption tool?
We reviewed the market for database encryption solutions and analyzed tools based on the following criteria:
- Compatibility with a long list of DBMSs
- Automated, closed-loop encryption and decryption
- Use of a strong encryption cipher
- Integration with access rights management (ARM) systems
- Implementation of Transparent Database Encryption (TDE)
- A free trial or a money-back guarantee for a risk-free assessment period
- Value for money from a comprehensive encryption system at a fair price
With these selection criteria in mind, we derived a list of cost-effective database encryption systems that don’t slow down data access processes.
Ok, so… here is the list of our 5 choices for the best encryption tools and software solutions to use with your data:
IBM Guardium Data Encryption is the answer to businesses that are looking for a database encryption solution that comes from a globally-established technology brand.
- Uses TDE
- Fast processing
- Also operates file encryption
- GDPR compliant
- Operates on Windows, macOS, and Linux systems
With this tool, TDE is implemented with encryption and decryption taking place above data file systems and storage volumes or drives. This way data access is transparent to users, applications, databases, operating systems, and storage management systems. Image source
Finally, IBM Guardium for File and Database Encryption enforces policy-dictated encryptions. It offers centralized encryption key management capability which allows businesses to secure their data while also ensuring they stay GDPR compliant. The policies, meanwhile, are easily defined using a user-friendly management server and can then be rolled out and implemented across a number of operating systems (Windows, Linux, and Unix).
- Highly customizable encryption options that support multiple algorithms
- Supports both structured and unstructured data
- Cross compatible with Linux, Windows, and MacOS
- Features built-in compliance management tools
- The platform comes many different options that take time to discover and learn
What makes this encryption solution stand out is its ability to secure data where it may be stored – locally, across multiple cloud storage solutions, and in big data. Administrators can opt for operating file system encryption or go for full-disk encryption.
- Uses TDE
- Operates on cloud platforms and containers
- Protects file systems and databases
- Will run while data is in use
The sheer power of Vormetric Transparent Encryption is revealed by simply looking at the data it can cover: it is easily deployable, can be scaled to cover tens of thousands of physical or virtual servers, and works on Windows, Linux, and Unix platforms.
One unique feature that comes with this solution from Thales eSecurity is that no downtime is required for initial data encryption operations. Administrators can simply use the “Live Data Transformation” option where databases and files can be encrypted while the data is in use.
Again, there is no downtime, a fact that can be appreciated when considering some tools may require a clean slate – being installed on new database servers before data can be encrypted.
- Supports encryption as well as access control and auditing
- Can secure data across multiple environments (cloud, databases, containers, etc.)
- Built to scale, great for enterprise networks
- Tailored more towards enterprises, not medium to small networks
- Applies to Windows and macOS systems
- Part of a data loss prevention system
- Encrypts disks, devices, and databases
This enterprise-level drive-encryption tool works in numerous use-cases including data loss prevention, full-disk encryption, device control, and even protection of data stored in the cloud (Dropbox and Google Drive, to name a few). It can be used on application servers running versions of Windows and Mac OS X.
Apart from encrypting data on disks and controlling access, McAfee’s Complete Data Protection tool automatically encrypts files and folders before they move through a local network and even when they are shared outside of it. Amazingly, this complete data protection solution is relatively inexpensive considering the power it brings to small-to-medium businesses that want to keep their data secure.
- Designed for enterprise use
- Can work well with existing data loss protection systems
- Automatically encrypts data as it moves through the network
- Designed specifically for businesses.
- Not created for non-technical users
For businesses that use Microsoft SQL Server (including SQL Express and LocalDB), few software solutions offer data security as DbDefence; this is arguably the most ideal tool for encrypting SQL data.
- Implements TDE
- Applies to Microsoft SQL Server
- Data masking option
This TDE tool offers data security solutions without compromising performance speeds. DBAs have full control over what they need to secure and configure DbDefence to work on tables (some or all of them), logins, and applications that access the restricted data.
Configuration modes allow three levels of securing database files and data:
- TDE that takes care of encryption while data is at rest
- A “Blackbox” function that locks down databases from being able to browse objects (tables, procedures, and functions) without the proper authorization
- A middle-ground solution known as data masking (PDF) and which allows TDE protection as well as hiding sensitive columns from administrators and other Power Users
Finally, DbDefence is an effective encryption tool that is easy to set up and run; it is simply a lithe, effective SQL database encryption algorithm and yet has a tiny digital footprint.
- Good fit for those use SQL Express or Microsoft SQL Server
- Designed to make encrypting SQL data simple and effective
- Supports data obfuscation, encryption, and access control
- Tailored specifically for SQL servers, not the best option for encrypting all assets
This is a full-disk encryption solution that comes to us by way of Microsoft Inc. With over 90 percent of the world using one of their operating systems, and also considering Windows 10 holds almost 49 percent of the desktop OS market share, it is important to know the best way to secure data on what is the most popular operating system.
- Applies to disks
- Built into Windows
- Easy to set up
BitLocker Drive Encryption, as it is officially known, is a built-in Windows data protection feature that has been available with Windows operating systems right from the early days of Vista. It serves to protect users from data loss or theft that may occur in case a device is stolen, lost, or negligently decommissioned. The best way to use this encryption tool is in conjunction with the Trusted Platform Module (TPM) – a hardware security feature that comes with almost all new computers today. Without it, BitLocker would still work in encrypting drives but would instead require that the administrator insert a USB drive containing the startup key when booting encrypted devices.
The main concept behind this security tool is to make sure that no unauthorized access is granted to a drive – whether by running software-attack tools or by physically moving a hard disk to a different computer.
An endearing factor of BitLocker is the fact that all it takes to secure a disk and all the data on it is just a few clicks.
- Already built into modern Windows operating systems
- Highly convenient for full disc encryption
- A great solution for home users and small networks
- Lacks enterprise features, not the best choice for larger networks
A few words of caution
Now, although all these encryption tools offer a way to secure data, there will always be that one weak point: the administrator. Because should hackers gain access to the administrator password – whether it is due to negligence in keeping the password secure or because they didn’t care enough to use a complex one – nothing will stop them from gaining full access to the data.
Solution: never use default passwords. Also, create complex encryption passwords that can’t be guessed and do not write them down where anyone can find them.
The same applies to any applications that are given the authorization to access disks, file systems or databases; the hackers could exploit any weaknesses in the applications themselves and access the data by exploiting them.
Solution: be careful what roles and permissions you give to every application. Keep up with patches and updates so any exploits are thwarted.
Are there any drawbacks to using database encryption tools?
OK, we have just spent all this time discussing which tools would be a perfect fit for a number of database server setup scenarios. We have also touched on a couple of precautions.
Now, we will have a look at what the cons are when it comes to encrypting a database. Because, although you might be willing to secure your data, there are some aspects you also need to keep an eye out for. They are:
- Forgetting the password – administrators need to use complex passwords to truly secure their databases and, unfortunately, this makes it much easier for them to forget them; if they do, there’s probably no way of accessing that data ever again.
- A false sense of security – while encrypting data using these latest tools secures your data, it doesn’t mean that you should let your guard down; always be on the lookout for new methods of hacking. Make sure you keep your whole digital environment patched and updated.
- Resource hogging – while most database encryption tools aren’t resource-intensive, the case might change as your data grows and when you have a higher number of users or applications that continue to ask for more and more data. This security cost might be offset by increasing resources, but that will also mean convincing management to increase your budget
Looking at these drawbacks, it can safely be said that the advantages outweigh them by far. This leads us to the conclusion: if you have sensitive files and confidential data, you should always consider encrypting it.
Database Encryption FAQs
What is the difference between asymmetric and symmetric encryption?
Symmetric key encryption requires the same key to be used to encrypt and decrypt a text. With asymmetric encryption, a different key is used to decrypt a text to the one used to encrypt it. Symmetric encryption systems require that the key be shared, which is a hazardous process because if anyone intercepts the transmission of the key, the encryption is worthless. With asymmetric encryption, the encryption key needs to be kept private. However, the decryption key can be made public. Therefore, these are called the private key and the public key. It is impossible to work out the private key if you have the public key. Therefore, the recipient of an encrypted text can be sure that the declared sender actually created the encrypted text because the related public key decrypts it. For this reason, asymmetric encryption systems are often used for authentication.
What is the major issue with database encryption?
Database encryption improves data security. However, it does have disadvantages. For a start, encrypted data needs to be decrypted when accessed in order for it to be useful. Therefore, the decryption process slows down access to data. Encrypting the data for storage also slows down the data input phase. There is going to be a point that data extracted from the database will be in a plain text format. This is a point of weakness, particularly with database systems that cache results in memory for rapid, repeated access – this stores the data in an unencrypted format. Another problem is the issue of encryption keys. If the same key is used for the entire database, renewing that key would require all of the database’s contents to be decrypted and re-encrypted, which is a time-consuming task. If the encryption is not periodically renewed, there is a risk that the key could be discovered and all security compromised.
Is MySQL database encrypted?
By default, MySQL databases are not encrypted. However, encryption can be activated on a tablespace through the ALTER TABLESPACE command.