Ensuring security is a significant challenge for applications deployed on public cloud platforms. On these platforms, applications are open to several attacks, both from physically co-located applications, and from the cloud administrator. In this paper, we consider a hybrid architecture based on the notion of a trusted client – in this architecture, data is stored on the untrusted server with sensitive columns encrypted and the encryption keys are stored with a trusted client, which is a node hosted in a trusted environment, perhaps on-premises. This separation between the encrypted data and the keys provides a simple guarantee that sensitive information is only accessed in the trusted client and never decrypted in the cloud.

In this paper, we investigate whether database applications can be securely and transparently migrated to this architecture without compromising performance. Towards this end, we develop a novel “secure” query compiler for T-SQL, which partitions an application (a set of stored procedures) automatically between the trusted client and the untrusted server given an input encryption policy for encrypting columns. The compiler exploits the observation that some encryption schemes are partially homomorphic i.e. permit some computations to be performed on encrypted data without changing semantics.We then report results on benchmarking this architecture on transactional benchmarks including TPC-A and TPC-C.