Security Guide > Security Guide > Using Data at Rest Encryption > Database vs. Function-based Encryption
Was this helpful?
Database vs. Function-based Encryption
Data can be encrypted at the DBMS Server level or the application level:
Database encryption is done at the DBMS Server level and is transparent. If you want the server to handle encryption for the application and be assured that data at rest is encrypted, declare the database as encrypted on the createdb -encrypt command, where you also define an encryption passphrase.
The passphrase applies to the database.
Function-based, or manual, encryption is done at the application level. If you want more control, use the SQL functions AES_ENCRYPT_IV and AES_DECRYPT_IV. The functions can be used, for example, to encrypt different values of the same column with different keys. The user must enter the passphrase in the query.
The passphrase applies to a column of a set of rows.
You can combine the two levels of encryption, creating an encrypted database with createdb, and then storing application-encrypted data in that database.
Last modified date: 03/21/2024