Database Encryption

Without any application code changes, the solution tokenizes and encrypts data in Postgres, MySQL, MariaDB, and Microsoft SQL Server at the field or row level. 

Database Encryption

Database encryption is an additional layer of security that can be used to protect against data breaches. Sensitive information, such as credit card numbers or personally identifiable information (PII), can get into the wrong hands even with the most sophisticated and complex protection measures in place. Database encryption ensures that even if someone gains access to the data, it is incomprehensible and cannot be used.

Relational databases such as MySQL/MariaDB, Postgres and Microsoft SQL Server provide various encryption options for both data at rest and data in motion, and most database engineers are using one or more of the many encryption types available today.

The typical database encryption methods for encryption at-rest known as Transparent Database Encryption (TDE) were designed to protect against physical data theft or data center break-ins. 

But to assume this type of encryption will keep you safe from a data breach is short-sighted, because today’s data centers and databases in the cloud are not being hacked this way (see “Why You Can’t Stop Data Breaches”).

What’s needed is a data-centric, rather than a container-based, protection method. 

But that raises another valid concern: don’t these column or field level encryption methods result in reduced performance? And won’t they require changes to application code or complex deployment and management? 

Most of the time, the answer is yes – and quite often the impact on development and performance trade-offs rule out this more robust database encryption model. Instead, companies make the decision to expose their data and risk a breach, rather than pay the cost of more performance overhead and additional development resources.

Baffle addresses these trade-offs to provide database encryption options for Postgres, MySQL, MariaDB, and Microsoft SQL Server with a simplified no-code data protection model. 

Baffle’s invisible data protection layer secures your data in databases, storing encrypted data with no encryption key present and with virtually no performance overhead.

Without any application code changes, the solution tokenizes and encrypts data in Postgres, MySQL, MariaDB, and Microsoft SQL Server at the field or row level. 

  • Support for Postgres, MySQL, MariaDB, Microsoft SQL Server
  • Support for AWS RDS, Microsoft Azure, Google Compute Platform (GCP)
  • Support for database migration services such as AWS DMS and Microsoft Azure
  • Out-of-the-box integration with encryption key management solutions - AWS KMS, Azure Key Vault, HashiCorp Vault
  • Simplified "no code" deployment model
  • Supports cloud native services and container-based environments
  • Fast performance with minimal overhead 

Baffle’s security contract ensures that the key and encrypted data are never co-mingled to reduce the risk of insider threat, privileged access and side channel attacks.

Baffle’s solution provides no code approaches for the following for Postgres, MySQL/MariaDB, and SQL Server:

  • Field Level Encryption
  • Record Level Encryption
  • Tokenization and Format Preserving Encryption (FPE)
  • Dynamic Data Masking
  • Data-Centric File Protection

Learn more about Baffle’s Data Protection Services here.


Screen Shot 2020 11 11 At 8.18.03 AM

Baffle Shield placement within a traditional application and database architecture.

Postgres Encryption Demo

Watch this 2 minute 30 second video on encryption of an AWS RDS Postgres database.  This shows an in place migration to demonstrate how transparently Baffle can enable simplified data protection.

Simplifying Encryption White Paper

Baffle Advanced Data Protection solution aims to make encryption simple to adopt without disrupting existing application functionality – it protects data all the way up to a record level granularity and supports four modes of protection depending on the level of security desired.

Cloud Data Protection Platform

Baffle’s solution simplifies protection of your data in the cloud without requiring any application code modification or embedded SDKs.

Tokenize Your Data in AWS RDS with AWS KMS

Watch this webinar to learn about different tokenization and data encryption techniques and see how you can stand up a demo of Baffle's Data Protection Services in conjunction with AWS RDS and AWS KMS in a matter of minutes. See how data can be easily de-identified or tokenized for your AWS RDS environment to mitigate the risks of data leakage and breaches.

Our Solution

Baffle delivers a transparent data protection service layer that secures data at the field or file level via a "no code" model.  The solution supports tokenization, format preserving encryption (FPE), database and file AES-256 encryption, privacy preserving analytics and access control. As a transparent solution, cloud native services are easily supported with almost no performance impact.

Icon Simplified


No application code modification

Icon Fast


Virtually no performance

Icon Seamless


Integrates easily into your

Icon Secure


AES encryption in memory, in use,
and at-rest

See How Baffle Can Protect Your Data

Schedule a live demo with one of our solutions experts to get answers to your questions