sql server vs .net encryption

Question

I have to store a small number of database fields (~3) in encrypted form in database tables.

In general, is it better to encrypt/decrypt data within an application using

Answer 1

For internal applications where you are not worried about "investigators" from the Internet, I prefer to do the encryption at the database. That way if something goes south with your application (for whatever reason) you are not reliant on that app to get the data back. Your app also, then, does not have the dependency on the encryption mechanisms or the overhead of performing the application. It can assume that it will be taken care of at the database making the code more maintainable.

It is also more convenient for apps that have multiple interfaces or gateways. The data is encrypted / decrypted centrally. What you would need to in that case, though, is make sure the data is being passed to / from the database via a secure tunnel (SSL or VPN or something similar), otherwise it doesn't mean a thing to encrypt the data at all; it can be easily intercepted with a standard network sniffer.

For shared hosting environments I prefer to do encryption within the app for security purposes. In that situation I control the keys and not the host provider.