Home>> Products>>Column Encryption vs. Database Encryption
NetLib® Encryptionizer® Product Overview
Differences Between Whole Database and Column Encryption
NetLib® Encryptionizer® is the only product line that can provide both whole database and column-level encryption. Below is a discussion of each of the methods by which data in SQL Server can be protected.
Whole Database Encryption encrypts an entire MDF database file (the file type into which SQL Server stores data for a particular named database), so it can only be attached to the secured instance of SQL Server. The DBA has many tools to restrict who can access what tables and columns. However, if the MDF file is copied, stolen, downloaded, or hacked from the server or from backup media, that protection is gone. The "bad guy" can attach the database to his own instance of SQL Server or MSDE and see everything. In fact, they can see a lot of data by browsing the file with a simple text editor. (This is not a limitation of SQL Server; it is true for all database platforms without special protection, including Oracle and Sybase.)
Column Encryption encrypts individual columns so that they can only be seen by authorized users or groups. This allows you to protect data from certain users who ordinarily need access to the rest of the table. For example, you might want everyone in the company to be able to look at the Employee table for name, phone number, or hire date. However, you might only want members of the HR department to be able to see Social Security numbers and birth dates.
NetLib Encryptionizer Whole Database Encryption and Column Encryption products can be layered to provide the protections of both methods.
Whole Database Encryption Advantages
- Simplest to implement - a few clicks and it is done.
- No code changes necessary to applications
- Negligible performance impact on typical transactions on a multi-processor server
- Prevents the database from being attached to an unauthorized instance of SQL Server or MSDE.
- Can protect databases on backup media
- Can protect databases from the network, domain, or Windows administrators
- Can protect databases from the SQL sysadmin in certain cases (requires a dedicated SQL instance for the database).
- Can protect databases on laptops/desktops (using Encryptionizer for MSDE).
- Developers can use it to protect intellectual property, including proprietary business processes and schema of the database.
- Can be used to protect databases distributed on CD, over the Internet, etc.
- Optional APIs for encrypting non-database files such as documents, spreadsheets, or graphic images.
Whole Database Encryption Limitations
- Single key for the entire database
- Cannot protect against the SQL sysadmin in a SQL instance shared with other databases.
- Does not encrypt data travelling over a network.
Column Encryption Advantages
- More flexible in choosing which pieces of data to encrypt. Applications can be written to ultimately control when, where, by whom, and how data is viewed.
- Can protect data from the SQL sysadmin even where there is no dedicated SQL instance.
- Contains both an API interface for maximum power and flexibility, and a new seamless point-and-click interface for maximum ease of deployment.
- Different columns (and even different rows) can be encrypted with different keys.
- Can be combined with Encryptionizer DE to encrypt data over the network.
Column Encryption Limitations
- Small but present impact on performance in typical transactions - 5-6 percent on average- slower on accessing/updating an encrypted column versus plaintext column in typical transactions. The greater the number of columns encrypted, the greater potential for performance impact.
- Limitations on types of database searches that can be performed. For example, comparison searches on an encrypted column (e.g., LastName begins with “S”, Salary between $50,000 and $60,000) can be slow in a large database.
- Cannot protect the intellectual property of the database (e.g., schema, views).