Security Guide : 6. Using Data at Rest Encryption : Transparent vs. Function-based Encryption
 
Share this page                  
Transparent vs. Function-based Encryption
Column values can be encrypted at either of the following levels:
Transparent column encryption (see Transparent Column Encryption), done at the DBMS Server level
If you want the server to handle encryption for the application and be assured that data at rest is encrypted, declare the columns as encrypted on the CREATE TABLE statement, where you also define an encryption passphrase.
The passphrase applies to all encrypted rows and columns in the table.
Function-based encryption (see Function-based Encryption (Application-level Encryption)), done at the application level
If you want to control the process and provide the passphrase at the application level, use the SQL functions AES_ENCRYPT_VARCHAR and AES_DECRYPT_VARCHAR.
The passphrase can apply to one row.
You can combine the two levels, declaring encrypted columns on CREATE TABLE, and then storing application-encrypted data in them.