Database encryption or application level encryption?

Question

When you need to store sensitive data such as CCs or SSNs, do you:

1) Build your own encryption routine within the application, define a secret key somewhere in a config

Answer 1

I agree with Mayo, but encryption in the DB could simplify the maintenance of the whole system.

Encryption to the Application level needs you manage the keys, the authentication and authorization phase for the keys and the visualization of the data (according with what Mayo has written).

If you choose Application Encryption you have to worry about the algorithm correctness not only in the developlment phase but in the maintenance phase. You have to implement unit test for no-regression. You have to manage the change of encryption algorithm because maybe you want a different and better algorithm.

And you have to be sure that Encrypted data will be always decrypted. It's not an obvious thing, because software has bugs and so on. Lost data is worse than clear data ;-)

Sure you can use a well known encryption library, but all the remainig things is a huge work to do for you.

Encryption into the DB protects only in the DB but you can consider to use some sort of SSL communication with the DB. I think (but I'm not sure) TDE implements this kind of secure communication.

Application is used from the user, an untrusted entity. You have to consider that the data in the application is lost. Why? If I want to steal data from a system that implements Encryption of the data at Application level or DB level, it could enough to use a photo-camera to get the data! Very simple!

You have to consider the security of the system, but the functionality too. More is the Security, less is the Functionality. I hope my considerations will be useful to you.