A Question about Database Encryption

Question

I've been looking around for an answer to this for some time now and I felt that this place would be a good venue to ask this.

How can one improve the security in a MySQL database?

The database that I am currently playing around with only has its data encrypted. This being the values in the tables are encrypted before being placed in the database.

Other than that, how can I improve the security and what do some readings mean by "database encryption"? I've read about some third party programs that can encrypt the whole database and maybe even a certain table only.

Also, to what kind of data do this programs affect? I imagine them only affecting only the "Data at rest". Or is it that there are live applications out there that interact with a live encrypted database?

I know that my question may seem to be all over the place but to sum it up:

1) What does "database encryption" mean? Is it field-value encryption or whole database encryption?

2) Do database encryption programs apply to live databases? Or only to archived/backup-ed databases?

3) If live databases were to be encrypted, surely the code of the application that uses it would need to be changed, right?

4) What are some programs that you guys recommend for "database encryption"?

5) Would using Bitlocker to the drive where the MySQL data is stored be a good alternative?

Answer 1

1) Yes, both are available. Databases can support field level, table level or full database security. They can also support externally controlled keys (provided by the client on connection to the DB) or DB managed keys (that are stored in the database and protected by the client's login credentials.)

2) Database encryption that doesn't apply to a live database would just be file encryption, though database encryption does still protect a live database that has been archived or backed up.

3) Not if the encryption is handled by the DB itself. The login account can unlock encryption keys stored in the DB and a good DBMS can handle the encryption/decryption transparently. If the encryption keys are handled by the client, then the connections would have to be updated to provide the key when accessing the data.

4) Any good DBMS should include built-in support for database encryption. You should not need a third party tool. A third party tool is not going to do as good of a job since the DBMS needs to know how to access the encrypted records to do a good job.

5) It is not a bad alternative, though it is not nearly as secure. Encrypting a database protects not only against data at rest, but also against data being compromised while the server is running. If the server itself is compromised while running, Bitlocker will do nothing to protect the database. Database encryption on the other hand will protect the data even if both the server and the DBMS are compromised (though a severe DBMS compromise might allow leakage when records are accessed by a legitimate user).