| Database at-rest encryption | Microsoft / Oracle TDE | Client-side field level encryption | Acra field level encryption | |
|---|---|---|---|---|
| Encryption of | The whole database | The whole database | Selected sensitive fields | Selected sensitive fields |
| Access to encryption keys | The database | The database | Client app | Acra |
| Plaintext leakage from DBAs | Yes | Yes | No | No |
| Plaintext leakage from backups | Yes | Yes | No | No |
| Number of keys | One for the whole database | One for the whole database | Per field, per app | Per field, per app, per zone |
| Application code changes | None | None | Significant | None, or very small |
Typical database encryption requirements
Modern database encryption solutions
Database encryption methods #
Different database encryption methods provide various security guarantees. Acra field level encryption works transparently for the app and the database, requires zero application code changes and hides cryptographic details from developers.
Database at-rest encryption
Encryption of
The whole database
Access to encryption keys
The database
Plaintext leakage from DBAs
Yes
Plaintext leakage from backups
Yes
Number of keys
One for the whole database
Application code changes
None
Microsoft / Oracle TDE
Encryption of
The whole database
Access to encryption keys
The database
Plaintext leakage from DBAs
Yes
Plaintext leakage from backups
Yes
Number of keys
One for the whole database
Application code changes
None
Client-side field level encryption
Encryption of
Selected sensitive fields
Access to encryption keys
Client app
Plaintext leakage from DBAs
No
data is encrypted before it gets to the database
Plaintext leakage from backups
No
data is encrypted before it gets to the backup
Number of keys
Per field, per app
Application code changes
Significant
Encryption of
Selected sensitive fields
Access to encryption keys
Acra
Plaintext leakage from DBAs
No
data is encrypted before it gets to the database
Plaintext leakage from backups
No
data is encrypted before it gets to the backup
Number of keys
Per field, per app, per zone
Application code changes
None, or very small
Our mission is simple.
Our offerings
// Database encryption software
Acra
A DATABASE SECURITY SUITE
Acra offers a field level and searchable database encryption which is easy-to-integrate in already-built infrastructures. Acra works with SQL and NoSQL databases. Acra gives transparent field level encryption proxy and encryption-as-an-API service.
To be announced
There’s something we’re preparing to address new challenges – Please stay tuned for further announcements.
// Consulting
Security engineering & architecture
Our security engineers team will assist with integrating field level encryption for sensitive data in your infrastructure (re-design the dataflow, optimise SQL queries, ensure HA and load balancing, migrate data, etc.) to mitigate the risks of data leakage.
Multi-layered defenses
Encryption never comes alone. We will advise you on data migration, key management, designing application level encryption flow, implementing certain security features, assessing your product, verifying its security properties, and providing actionable advisory on improvements.
SSDLC
We help teams set up and improve the SSDLC for application development. We assist in prioritising and implementing security features, suggest automated tools and follow the latest security guidelines and regulations.
Have a question? Get a human to answer it!
How we make a difference
Database encryption in use
Acra blends well with your application as SQL encryption proxy, encryption-as-a-service API, API proxy, or in-app SDK. Each mode has its own pros and cons.
The most popular mode is transparent encryption via Acra SQL proxy. Acra sits between the application and the database, and encrypts/decrypts data transparently. Acra supports various key management procedures (key rotation with and without data encryption, key revocation, and others according to NIST SP 800-57). Acra supports HYOK and BYOK, allowing customers to have full control over encryption keys.
Additional relevant materials
The keynote 'Data is a new security boundary' is presented by Anastasiia Voitova at OWASP Global AppSec US 2021. Anastasiia explains how modern data protection combines multiple security controls and follows sensitive data where it exists – from client-side apps to the databases. The YouTube video is available as well.
Frequently Asked Questions
How are databases encrypted?
Databases can be protected by enabling “data at rest” encryption which protects from offline attacks and having access to the physical servers and disks. In this case, the database has access to the encryption keys. Application level encryption and field level encryption allows encrypting data outside the database, pushing already-encrypted data in, protecting the data from insiders, DBAs, misconfiguration, SQL injection attacks and many more. Acra provides field level encryption for SQL and NoSQL databases.
Does database encryption affect performance?
Any encryption affects performance, as it requires encrypting and decrypting the data. Acra uses modern, strong, and efficient ciphers, like AES-256-GCM. Using Acra as a transparent SQL proxy adds 3..6% of the performance penalty. The penalty doesn’t depend on the volume of stored data but on how many sensitive fields are encrypted in one database request.
Should database data be encrypted?
It depends on data classes and kinds. According to industry standards and data privacy regulations, sensitive data should be encrypted during processing. Sensitive data includes PII, PHI, payment data, and any kind of business-essential data. Check out the “PII encryption requirements. Checklist” and GDPR for software developers: implementing rights and security demands.
