Security Guide > Security Guide > Using Data at Rest Encryption > Database vs. Function-based Encryption
Was this helpful?
Database vs. Function-based Encryption
Data can be encrypted at the DBMS Server level or the application level:
Database encryption is done at the DBMS Server level and is transparent. If you want to be assured that all data at rest is encrypted, declare the database as encrypted using the “createdb -encrypt” command, where you also define an encryption passphrase. To enable access to the database, use the ENABLE PASSPHRASE statement.
The passphrase applies to the database.
Function-based, or manual, encryption is done at the application level. If you want more control, use the SQL functions AES_ENCRYPT_IV and AES_DECRYPT_IV. The functions can be used, for example, to encrypt different values of the same column with different keys. The user must enter the passphrase in the query.
The passphrase applies to a column of a set of rows.
You can combine the two levels of encryption, creating an encrypted database with createdb, and then storing application-encrypted data in that database.
Last modified date: 12/19/2024