Raw encryption

Raw encryption allows you to encrypt data inside the database server into a format that can be exported and decrypted outside of the database server. The encrypted format is referred to as raw. To encrypt data in the raw format, you must specify the encryption key, the initialization vector, and optionally a padding format. To decrypt the data, you must specify the same parameter values.

You can also use the DECRYPT function to decrypt the data inside the database server.

Raw encryption is useful when:

You want to prevent database users from having access to the data – You can use raw encryption to encrypt sensitive data that you do not want even your database administrators to have access to, and then decrypt the data using a client application without the use of the database server. Raw encryption is not recommended when the data needs to be encrypted and decrypted only by the database server.
You cannot use TLS encryption – You can use raw encryption instead of TLS encryption. Unlike TLS encryption, raw encryption cannot prevent replay or person-in-the-middle attacks, nor can it authenticate database servers.

Example

You need to send data from the binary_data column of the SensitiveData table in your database to a client that does not use databases. Because the data is sensitive, you encrypt the data into raw format using the following SQL statement:

SELECT ENCRYPT( binary_data, 'TheEncryptionKey','AES(FORMAT=RAW)',
'ThisIsTheIV' )FROM SensitiveData;

You copy the encrypted data to the client along with an application that can decrypt the contents. You also provide the encryption key (TheEncryptionKey) and the initialization vector (ThisIsTheIV) to the client to use with the application. The client uses the application to decrypt the data and view it.