Cracking the Confusion: Encryption Decision Tree

By Rich

This is the final post in this series. If you want to track it through the entire editing process, you can follow along and contribute on GitHub. You can read the first post, and find the other posts under “related posts” in full article view.

Choosing the Best Option

There is no way to fully cover all the myriad factors in picking a specific encryption option in a (relatively) short paper like this, so we compiled a visual decision tree to at least get you into the right bucket.

Here are a few notes on the decision tree.

  • This isn’t exhaustive but should get you looking at the right set of technologies.
  • In all cases you will want secure external key management.
  • In general, for discreet data you want to encrypt as high in the stack as possible. When you don’t need as much separation of duties, encrypting lower may be easier and more cost effective.
  • For both database and cloud encryption, in a few cases we recommend you encrypt in the application instead.
  • When we list multiple options the order of preference is top to bottom.
  • As you use this tree keep the Three Laws in mind, since they help guide the security value of your decision.

Encryption Decision Tree

Once you understand how encryption systems work, the different layers where you can encrypt, and how they combine to improve security (or not), it’s usually relatively easy to pick the right approach.

The hard part is to then architect and implement the encryption technology and integrate it into your data center, application, or cloud service. That’s where our other encryption research can be valuable, and the following reports should help:

No Related Posts

Thank you Rich and gang.  Interesting and useful blog.  I especially like the flow chart graphic.  Although, I would contend that for Database security of “Most or all fields being sensitive”, File-system level/Transparent File encryption is also a great solution.  It encrypts your full database, if implemented correctly has very low overhead, and has the added advantage over TDE that it works on any database (not proprietary like TDE) and it also can be used to encrypt the associated unstructured data, such as config files, log files, and reports generated from the database.

By Charles Goldberg

A short series but very interesting and useful. Thanks

By donald Callahan

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.