Database Encryption

Without any application code changes, the solution tokenizes and encrypts data in Postgres, MySQL, MariaDB, and Microsoft SQL Server at the field or row level. 

Database Encryption

Database encryption is a cryptography method that adds an additional layer of data security which can be used to protect against data breaches from anyone other than authorized users. Sensitive information within your databases, such as credit card numbers or personally identifiable information (PII), can get into the wrong hands even with the most sophisticated and complex protection measures in place. Database encryption ensures that even if someone gains unauthorized access to sensitive data, it will be stored as a sort of "cipher text" that is incomprehensible and therefore, cannot be used because of how difficult it is to decrypt.

Relational databases such as MySQL/MariaDB, Postgres, Microsoft SQL Server, AWS Redshift and Snowflake provide various encrypting and authentication options for both data at rest and data in motion, and most database engineers are using one or more of the many encryption types available today.

The typical form of encryption put in place for most Database Management Systems (DBMS) at-rest known as Transparent Data Encryption (TDE) were designed to protect against physical data theft or database server break-ins.

But to assume that this type of encryption will keep your entire database safe from a data breach or any level of decryption is short-sighted, because today’s data centers and databases in the cloud are not being hacked this way. (See “Why You Can’t Stop Data Breaches”).

What’s needed is a data-centric - rather than a container-based - protection method.

However, that raises another valid concern: don’t these column or field level encryption methods result in reduced performance? Plus, won’t they require changes to the algorithm, application code or complex deployment and management?

Most of the time, the answer is "Yes." Quite often, the impact on development and performance trade-offs rule out this more robust database encryption model. Instead, companies make the decision to expose their data and risk a breach, rather than pay the cost of more performance overhead and additional development resources.

Baffle addresses these trade-offs to provide database encryption options for Postgres, MySQL, MariaDB, Microsoft SQL Server, AWS Redshift, and Snowflake with a simplified no-code data protection model.

Baffle’s invisible data protection layer secures the actual data values and PII in databases, storing encrypted data with no encryption key or key management system present, topped off by virtually no performance overhead or loss in functionality.

Without any application code changes, our solution tokenizes and encrypts data in Postgres, MySQL, MariaDB, and Microsoft SQL Server at the field or row level.

With Baffle Database Encryption, you get:

  • Support for Postgres, MySQL, MariaDB, Microsoft SQL Server, AWS Redshift, and Snowflake
  • Support for AWS RDS, Microsoft Azure, Google Compute Platform (GCP), IBM Cloud
  • Support for database migration services such as AWS DMS and Microsoft Azure
  • Out-of-the-box integration with encryption key management solutions - AWS KMS, Azure Key Vault, HashiCorp Vault
  • Simplified "no code" deployment model
  • Supports cloud native services and container-based environments
  • Fast performance with minimal overhead 

Baffle’s security contract ensures that the decryption key and encrypted data are never co-mingled, to reduce the risk of insider threat, privileged access and side channel attacks.

Baffle’s solution provides no code approaches for the following for Postgres, MySQL/MariaDB, SQL Server, AWS Redshift, and Snowflake:

  • Field Level Encryption
  • Record Level Encryption
  • Tokenization and Format Preserving Encryption (FPE)
  • Dynamic Data Masking
  • Data-Centric File Protection

Learn more about Baffle’s Data Protection Services here.


database encryption

Baffle Shield placement within a traditional application and database architecture.

Postgres Encryption Demo

Watch this 2 minute 30 second video on encryption of an AWS RDS Postgres database.  This shows an in place migration to demonstrate how transparently Baffle can enable simplified data protection.

Simplifying Encryption White Paper

Baffle Data Protection Services aims to make encryption simple to adopt without disrupting existing application functionality – it protects data all the way up to a record level granularity and supports four modes of protection depending on the level of security desired.

Baffle Data Protection Services

Baffle’s solution simplifies protection of your data in the cloud without requiring any application code modification or embedded SDKs.

Below are additional resources if you're interested in learning more or feel free to Request a Demo to speak with one of our solutions architects.

Our Solution

Baffle delivers an enterprise-level transparent data security platform that secures databases via a "no code" model at the field or file level. The solution supports tokenization, format-preserving encryption (FPE), database and file AES-256 encryption, and role-based access control. As a transparent solution, cloud-native services are easily supported with almost no performance or functionality impact.

Icon Simplified


No application code modification

Icon Fast


Virtually no performance

Icon Seamless


Integrates easily into your

Icon Secure


AES encryption in memory, in use,
and at-rest

Schedule a live demo with one of our solutions experts to get answers to your questions