Would encrypting a database protect against a compromised admin account?

Yes, such a system exists; it's called Application-Level Encryption. Under that system the encryption keys (or at least the Key-Encrypting Key, or KEK) are only available to the application. Data is encrypted by the application before being stored in the database, and encrypted blobs are retrieved from the database to be decrypted by the application.

The advantage of this is a sort of dual control - the DBAs, who can perform bulk actions against the entire database without much limitation - can only extract encrypted data. The application administrators, who hold the KEK, can decrypt anything in the database, but are limited to approved interfaces which may work piecemeal but not in bulk. It makes abuse of the decrypted data harder to perform and easier to detect.

There are disadvantages as well, primarily the inability to index or search upon plaintext characteristics of the encrypted data in the database. Also, it requires the application and database be written to support it; unlike whole-disk or whole-database encryption it's not as easy as flipping a switch.


On a database server, two different admin accounts can exist: the system admin account(s) and the database admin accounts. @gowenfawr's answer already addresses the database admin case, so I will focus on the system admin one.

In that case, you have lost. It is not possible to protect a machine from its administrator, because they have a full access on any file on the system. As a server normally supports unattended reboots, the application will have to be able to extract the database decryption key, and someone with admin priviledges should be able to extract that key too, because it could impersonate the application user.

There are some possible mitigation ways. One is when the data is encrypted client side. In that case, the application only processes encrypted data with no possible access to the clear text one, so even with full access to the machine and to the database it is not possible to decrypt anything. This is a very secure but rather inconvenient way: if users lose their key, the data is definitely lost. Because of that, system admins are generally very reluctant to a security model that ignores them.

Any other way can only be obfuscation: the key or at least the decrypting procedure has to be accessible to the machine. It can be made very complex to find it so that you can hope being able to close the door before the attacker could really extract any clear text data, but it only make sense if you have a global security system which analyses even apparently legitimate accesses to raise warning when an account is used in an unusual way. You end in the classical threat-risk/mitigation-cost question...

The best way would be to separate machines and admins for the database server and the application server. That way the database machine does not know the decryption key hence the database admin cannot extract it. And an application admin has no way to extract everything from the database. But it can still access any data the application can access. Simply having different admin groups has a cost and here again the threat-risk/mitigation-cost question applies.


My threat model is as follows: A legitimate admin account's username and password is compromised. Our attacker uses that account to log in remotely and download the database.

Any remote connection to your network should be protected by 2FA (Especially any admin connection). This would mitigate your threat here. Furthermore, depending on the business needs I would like to dissallow access from the VPN VLAN to any VLAN which contains sensitive data such as the DB in question...this may be impossible if you are a virtual company.

My threat model is as follows: A legitimate admin account's username and password is compromised. Our attacker uses that account to log in remotely and download the database. I understand MFA and other access controls would protect here, but assume they've failed or otherwise been circumvented. I'm merely curious of encryption's effect here.

As for the use of encryption...one could store encryption keys in a secure vault which gives role-based access on a need to know basis. This would mitigate the risk for the specific DB in question if this admin isn't the admin of this DB.