Database at-rest encryption | Microsoft / Oracle TDE | Client-side field level encryption | Acra field level encryption | |
---|---|---|---|---|
Encryption of | The whole database | The whole database | Selected sensitive fields | Selected sensitive fields |
Access to encryption keys | The database | The database | Client app | Acra |
Plaintext leakage from DBAs | Yes | Yes | No | No |
Plaintext leakage from backups | Yes | Yes | No | No |
Number of keys | One for the whole database | One for the whole database | Per field, per app | Per field, per app, per zone |
Application code changes | None | None | Significant | None, or very small |
Typical database encryption requirements
Modern database encryption solutions
Database encryption methods #
Different database encryption methods provide various security guarantees. Acra field level encryption works transparently for the app and the database, requires zero application code changes and hides cryptographic details from developers.
Database at-rest encryption
Encryption of
The whole database
Access to encryption keys
The database
Plaintext leakage from DBAs
Yes
Plaintext leakage from backups
Yes
Number of keys
One for the whole database
Application code changes
None
Microsoft / Oracle TDE
Encryption of
The whole database
Access to encryption keys
The database
Plaintext leakage from DBAs
Yes
Plaintext leakage from backups
Yes
Number of keys
One for the whole database
Application code changes
None
Client-side field level encryption
Encryption of
Selected sensitive fields
Access to encryption keys
Client app
Plaintext leakage from DBAs
No
data is encrypted before it gets to the database
Plaintext leakage from backups
No
data is encrypted before it gets to the backup
Number of keys
Per field, per app
Application code changes
Significant
Encryption of
Selected sensitive fields
Access to encryption keys
Acra
Plaintext leakage from DBAs
No
data is encrypted before it gets to the database
Plaintext leakage from backups
No
data is encrypted before it gets to the backup
Number of keys
Per field, per app, per zone
Application code changes
None, or very small
Our mission is simple.
Our offerings
// Database encryption software
Acra
A DATABASE SECURITY SUITE
To be announced
// Consulting
Security engineering & architecture
Multi-layered defenses
SSDLC
Have a question? Get a human to answer it!
How we make a difference
Database encryption in use
Acra blends well with your application as SQL encryption proxy, encryption-as-a-service API, API proxy, or in-app SDK. Each mode has its own pros and cons.
The most popular mode is transparent encryption via Acra SQL proxy. Acra sits between the application and the database, and encrypts/decrypts data transparently. Acra supports various key management procedures (key rotation with and without data encryption, key revocation, and others according to NIST SP 800-57). Acra supports HYOK and BYOK, allowing customers to have full control over encryption keys.
Additional relevant materials
The keynote 'Data is a new security boundary' is presented by Anastasiia Voitova at OWASP Global AppSec US 2021. Anastasiia explains how modern data protection combines multiple security controls and follows sensitive data where it exists – from client-side apps to the databases. The YouTube video is available as well.