Implementing a Database Encryption Solution, Design and Implementation Issues Erez Shmueli a,f , Ronen Vaisenberg b , Ehud Gudes c , Yuval Elovici d,e a The Media Lab, Massachusetts Institute of Technology b The Dept. of Information and Computer Sciences, University of California at Irvine c The Dept. of Computer Science, Ben-Gurion University of the Negev d The Dept. of Information Systems Engineering, Ben-Gurion University of the Negev e Deutsche Telekom Laboratories, Ben-Gurion University of the Negev f Corresponding author. E-mail: shmueli@mit.edu, Fax: +1-617-253-8874 Abstract In this paper, we analyze and compare five traditional architectures for database encryption. We show that existing architectures may provide a high level of security, but have a significant impact on performance and impose major changes to the application layer, or may be transparent to the application layer and provide high performance, but have several fun- damental security weaknesses. We suggest a sixth novel architecture that was not considered before. The new architecture is based on placing the encryption module inside the database management software (DBMS), just above the database cache, and using a dedicated technique to encrypt each database value together with its coordinates. These two properties allow our new architecture to achieve a high level of data security while offering enhanced performance and total transparency to the application layer. We also explain how each architecture can be implemented in a commercial, open source DBMS. We evaluate the performance of the various architectures both analytically and through extensive experimentation. Our performance eval- uation results demonstrate that in most realistic scenarios, i.e., where only a part of the database content is stored in the database cache, the suggested architecture outperforms the others. Keywords: Relational Database, Security, integrity, and protection, Data Encryption. Preprint submitted to Elsevier April 4, 2014