Database encryption is the technology used data protection from databases. Encryption can applied to the contents through native database functions or externally with third party tool.
Database encryption can be classified in two basic types:
Transparent/External Encryption – term for the encryption of the entire database. This is provided by native encryption functions within the database engine. Some database vendors offer column and table level granularity, but it is increasingly common to apply encryption to all the data. It’s called ‘transparent’ database encryption because it is invisible to the applications and users that use the data, and requires no changes to application logic. The principal use case is to prevent exposure of information due to loss of the physical media (disk, tape, etc.) or compromise of the database files in storage. Transparent encryption can also be handled through drive or OS/file system encryption, applying encryption on everything that gets written to disk.. Transparent encryption protects the database from users without database credentials, but does not protect data from authorized users.
User/Data Encryption – term describes encrypting specific columns, tables, or even data elements within the database. It is called ‘user’ encryption because the objects being encrypted are owned and managed on a per-user basis. Tokenization also falls into this category. The classic use case for this encryption model is encrypting credit card numbers within a database. The goal is to provide protection against inadvertent disclosure, or to enforce separation of duties on credentialed users of the database. The downside is that these variants are not invisible to the application and usually require code and database changes. The concept is to encrypt only the highly sensitive data the companies are worried about, reducing the overall performance impact, and minimizing code and database changes. How this is accomplished depends on how key management is handled, the use of internal vs. external encryption services, and how applications use the database.