Column-Level Encryption

ELI5 — The Vibe Check

Column-level encryption encrypts specific sensitive columns (like SSN, credit card numbers) while leaving everything else readable. The database stores ciphertext, and only authorized queries with the right key can decrypt it. It's a safe inside a safe — even if someone gets the database, those columns are gibberish.

Real Talk

Column-level encryption encrypts individual column values before storage, providing granular data protection. It can be implemented at the application layer (encrypt before insert, decrypt after select) or database layer (pgcrypto in PostgreSQL, Always Encrypted in SQL Server). Key management, performance impact on encrypted column queries, and inability to index ciphertext are key considerations.

Show Me The Code

-- PostgreSQL with pgcrypto
CREATE EXTENSION pgcrypto;

-- Encrypt on insert
INSERT INTO users (name, ssn_encrypted)
VALUES ('Alice', pgp_sym_encrypt('123-45-6789', 'secret_key'));

-- Decrypt on select
SELECT name, pgp_sym_decrypt(ssn_encrypted, 'secret_key') as ssn
FROM users WHERE id = 1;

When You'll Hear This

"We encrypt SSN and credit card columns but leave names and emails in plaintext." / "Column-level encryption means you can't do WHERE clauses on encrypted data without decrypting first."