# Database Security: Encryption Options (TDE, Field-Level) One-sentence definition: Protecting data at rest in databases via Transparent Data Encryption (TDE) and column/field-level encryption. ## Key Facts - TDE: encrypts storage; minimal app changes; protects lost media. - Field-level: per-column confidentiality; protects DBAs from plaintext. - Trade-offs: key management, performance, query limitations (indexes). - Combine with application-layer encryption for high sensitivity. - Backups and replicas must preserve encryption and keys. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Select encryption scope based on threat and usability. **Mnemonic:** “TDE for disks; fields for secrets.” ## Mini Scenario Q: Need to hide SSNs from DBAs—approach? A: Field-level or app-layer encryption with limited detokenization. ## Revision Checklist - Define TDE vs field encryption. - Name a key management requirement. - State a performance consideration. ## Related [[Data Encryption Overview (Asset Security)]] · [[Key Management Basics (Asset Security)]] · [[Tokenization]] · [[Database Security: Access Models (RBAC, ABAC, RLS)]] · [[Object Storage Security (Buckets, Versioning, Immutability)]] · [[Domain 2 - Index]]