Implementing a database encryption solution, design and implementation issues

In this paper, we analyze and compare five traditional architectures for database encryption. We show that existing architectures may provide a high level of security, but have a significant impact on performance and impose major changes to the application layer, or may be transparent to the application layer and provide high performance, but have several fundamental security weaknesses. We suggest a sixth novel architecture that was not considered before. The new architecture is based on placing the encryption module inside the database management software (DBMS), just above the database cache, and using a dedicated technique to encrypt each database value together with its coordinates. These two properties allow our new architecture to achieve a high level of data security while offering enhanced performance and total transparency to the application layer. We also explain how each architecture can be implemented in a commercial, open source DBMS. We evaluate the performance of the various architectures both analytically and through extensive experimentation. Our performance evaluation results demonstrate that in most realistic scenarios, i.e., where only a part of the database content is stored in the database cache, the suggested architecture outperforms the others.