Protection Levels

Please read the following carefully - it may save you time!

Easiest: Only Encryption, Maximum Transparency

This mode is very similar to Microsoft's TDE. It is only data-at-rest encryption for database files (data, log, filestream) and backups.

In many cases there are only formal requirements for protecting data. The easiest in this case would be to encrypt database files, but apply no additional access restriction. In this case application can use the database immediately after encryption. Take a look at how to enable this mode.

Most secure: Encryption and Protecting Database Schema

This mode also provides data-at-rest encryption for database files (data, log, filestream) and backups, but DbDefence goes further.

The key feature of DbDefence, and what makes it unique among other encryption tools, is that it can protect schema and data from DBA. With this feature (enabled by default), the database becomes protected from all kinds of applications, no matter whether it is a web service, replication or server admin with SQL Server Management Studio. You must take additional steps to allow access to your database. These steps may include:

Unlocking modes

Which unlocking mode is better?

Unlocking mode	Pros	Cons
By Application	Fine-grained security. Password is securely stored. Password sent in encrypted form over the network. Works with all kinds of applications without changes.	Software installation and configuration are required on each (!) client's computer. Some hypervigilant AV software may interfere with the application. Unlocking from the client adds some overhead per each connection.
By Login	No installation required on client's computer. No encryption password is sent over the network. Works with all kinds of applications and platforms without changes. No connection overhead. Very easy to setup.	Simplified security.
Programmatically (adding unlocking SQL statement to the application)	Only your application decides when to unlock the database.	Need to care about storing and transmitting a password securely. Requires changes in the application. Unlocking from the client adds some overhead per each connection.