Three ways to protect an SQL Server database

In all three ways, DbDefence encrypts database files completely: data, log, filestream, and backups.

DbDefence was designed especially for SQL Server with the idea in mind that encryption should be available to anyone without special knowledge and changes in an application. There is an API for those who like programming.

The unique advantage of DbDefence is optional security enforcement. Access to the database may be restricted so, that only selected SQL logins or applications access the database.

Which way is yours?

Put your requirements in one sentence:

  • "I have a requirement for data-at-rest encryption." Go to Method 1.
  • "I want to protect my database and don't want anyone to browse it." Go to Method 2.
  • "I want to protect only some tables/columns." Go to Method 3.

Method 1: Transparent database encryption only

This mode is suitable for customers who have a data-at-rest encryption requirement and looking for an affordable replacement for Microsoft's TDE. There are no additional security layers applied in this mode. All applications work as before encryption*.

Method 2: Transparent database encryption with schema protection

In this mode, data files are encrypted as usually, but the whole database schema is protected. When access is declined, the database can't even be browsed in SQL Management Studio. Backups may also be restricted. DbDefence adds a unique protection layer and lets only selected SQL logins or selected applications to access the database.

Method 3: Transparent database encryption with masking

In this mode, all data files are encrypted, but security admin may protect certain columns from being viewed by anyone, even local administrators. DbDefence adds a unique protection layer and lets only selected SQL logins or selected applications to see the real column values. Columns may be masked, completely hidden, or masks may display fake data.


* In all 3 modes, SQL Server's native backups work without changes, but 3rd party backup tools, for example, Redgate Backup, may require some adjustments in its settings.