Software-based Encryption vs.
Hardware-based Encryption
Executive Summary
Today, many organizations are
evaluating or implementing solutions
for encrypting data at rest, both as a
means to combat data theft and to
ensure compliance with a range of
legislative and industry mandates. For
encryption to adequately and costeffectively address security gaps,
organizations must manage their
implementation in a way that is best
suited to their specific infrastructure
and security policies. One of the key
decisions confronting organizations
considering data at rest encryption
is whether to deploy software-based
products or hardware-based solutions
such as SafeNet™ DataSecure™
Platforms. This document outlines
the main differences between the two
alternatives, offering information on
such criteria as security, performance,
and manageability.
Centralized vs. Distributed Key Storage
Distributed Key Storage and Software-based Encryption
Software-based encryption solutions use a distributed key storage mechanism: keys
are stored on the application and database servers on which the data to be encrypted
resides. In the simplest case, where only one database server exists, key management is
modestly simple. However, in an enterprise environment, where the number of application
and database servers often number in the hundreds, it becomes increasingly difficult to
manage the cryptographic keys residing on these servers. In addition, as the complexity
of key management increases, the risk of not backing-up a key, or losing a key, increases
When organizations use software-based approaches to encrypt data that is stored on backend servers and databases, the cryptographic keys are distributed in a decentralized fashion.
This poses security vulnerabilities because database and application servers are often
configured incorrectly, and not kept up-to-date with the latest security patches, making
them easy prey for cyber attackers outside the organization—and they’re easily accessible
to a number of internal employees that may not have proper security credentials. When
cryptographic keys are stored on unsecured platforms, attackers can gain access to them very
quickly because they are often stored in an easily readable plaintext format. And as more keys
are stored on servers, it becomes even easier to locate and manipulate them.
Centralized Key Storage with SafeNet DataSecure Platforms
Companies have distributed networks, which makes management of the keys and the security
policies behind those keys the most important aspect to securing sensitive data. The SafeNet
DataSecure Platform is a centralized key storage solution. All keys are created, reside on, and
never leave the SafeNet platform. This significantly simplifies management of key backup,
restoration, and key rotation since all keys are stored in one place. The DataSecure platform
capable of creating thousands of keys—including those of such robust encryption algorithms
such as RSA, 3DES, and AES—that can be used by multiple application or database servers.
Additionally, when an encryption key is “at rest” on the internal DataSecure disk, it is twice
encrypted for added security using several internal SafeNet keys designed for this purpose.
Customers can also choose a DataSecure Platform containing a FIPS 140-2 Level 3-compliant
hardware security module, which supports U.S. government requirements to ensure that the
storage media itself is extremely tamper resistant.
Software-based Encryption vs. Hardware-based Encryption Whitepaper
About SafeNet
Administration and Access Control
Founded in 1983, SafeNet is a global
leader in information security.
SafeNet protects its customers’ most
valuable assets, including identities,
transactions, communications, data,
and software licensing, throughout
the data lifecycle. More than 25,000
customers across both commercial
enterprises and government agencies,
and in over 100 countries, trust
their information security needs to
The only way to access the DataSecure platform for administrative purposes is via a secure
Web management console, a command line interface over SSH, or a direct console connection.
Again, unlike database and application servers, no one can “log on” to the SafeNet platform
using a standard Windows log on, or UNIX shell.
Access to SafeNet platforms is restricted to SafeNet utilities and commands designed to
manage and maintain the SafeNet appliance. The DataSecure appliance has been hardened
for security: all TCP listeners and services typically found on application or database servers
do not exist. Consequently, it is impossible to search for keys residing on the DataSecure
For added security, the platform can be configured so that individual administrators are
granted access only to areas for which they are responsible. DataSecure offers over 20 access
control lists (ACLs), which offer granular control over administrative functions. For example,
one administrator might only b given access to network configuration functions, while another
might only be given access to certificate management controls. This level of granular access
control enables customers to control and closely monitor administration operations. All
actions performed by users and administrators are logged for reporting purposes.
Implementation Options
Software-based encryption solutions generally provide one implementation option:
deploying encryption at the database layer. While this alternative may make sense for
certain organizations, many enterprises need to do encryption elsewhere, sometimes due
to infrastructure requirements or security objectives. With SafeNet, organizations can
implement encryption at multiple tiers within the infrastructure, and a single appliance can
be integrated with a number of Web servers, application servers, and databases. This affords
enterprises with a great deal of flexibility to adapt encryption to their specific performance,
implementation, and security requirements. For example, an organization may choose to have
an application server that resides in a relatively open, insecure portion of the network have
permission to do only encrypt requests, while a database residing in a more secure location
would be able to make decryption calls.
Scalability and Performance
Software-based cryptographic solutions do not scale because all cryptographic operations are
performed on the application or database server’s CPU. This typically adds 10 to 25% to the
existing load on a database server and this solution is inherently flawed when you consider
scalability; the customer must add application and database servers when their server’s load
threshold is exceeded. This can significantly increase the cost-of-ownership when factoring in
the cost of new hardware and software (operating system, database licenses, and encryption
On the other hand, the SafeNet solution offloads all cryptographic operations to the
DataSecure server. This practically alleviates any additional load on the customer’s servers
and it permits DataSecure to scale horizontally. That is, the customer can add as many
SafeNet cryptographic servers as required, by inserting another SafeNet appliance into the
cluster. Performance can be increased as needed and the customer can scale their database
encryption as their organization and transaction rates grow. One DataSecure appliance can
have many databases and or application servers accessing it simultaneously for different
cryptographic needs.
Cost of Ownership
As illustrated above, it is far more complex to manage keys, users, and security policies with a
software-based encryption solution than with a centralized hardware offering. This complexity
increases as software-based cryptographic solutions are deployed across a large number of
application and database servers and this problem is significantly magnified in an enterprise
environment, where architectures are typically comprised of hundreds of applications and
many databases.
Although software-based encryption solutions typically require a smaller initial investment
than a hardware-based solution, the IT costs of deploying and administering these softwarebased solutions in complex enterprise environments often makes the long-terms costs of
these solutions prohibitive.
Contact Us: For all office locations and contact information, please visit
Follow Us:
©2010 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet.
All other product names are trademarks of their respective owners. WP (EN)-12.09.11
Software-based Encryption vs. Hardware-based Encryption Whitepaper