Column-level encryption

Column-level encryption is a technique that encrypts specific data columns within a database table, as opposed to encrypting the entire database. It is a type of application-level encryption, with the other type being field-level encryption.

Column-level encryption is typically used to provide extra protection for specific types of PII, such as social security numbers (SSNs), bank account numbers (BANs), health information, and similar sensitive data.

The key advantage of column-level encryption over data-at-rest encryption (such as transparent data encryption) is that data isn’t decrypted automatically by the database.

In this approach, the database does not hold the decryption keys. Instead, the secret keys are stored elsewhere: in the application backend, a key management system (KMS), or an external encryption service such as Piiano Vault.

As a result, even if an attacker gains direct access to the database, the encrypted data remains secure. Only the application can decrypt and read the data. Therefore, obtaining credentials to access the database alone will not allow access to column-level encrypted data.

To learn more about column-level encryption, how it compares to other types of encryption, the algorithms commonly used, and how to create a quick proof-of-concept implementation for SQL Server, see Column-Level Encryption 101: What It Is, Implementation & Benefits.