Database systems are often required to maintain the confidentiality or secrecy of various sets of data held on them such that only authorized groups of users or individual users are able to access and manipulate them. This requirement is typically handled through the use of authorization controls. Audit trails are also kept, which in theory at least, keep track of what information individual users access and when the accesses are made. Amongst other purposes, audit trails are intended to provide accountability for the accesses and operations performed on data held on a database system; thereby serving as a deterrent to the improper access and manipulation of data held on the system. While the use of access controls and audit trails are useful and prudent mechanisms for supporting the maintenance of confidentiality on a database system, database systems using these methods still remain vulnerable to breaches of confidentiality. One fundamental area of vulnerability that remains is from systems support personnel. Authorization controls typically grant systems managers, database administrators, and even computer operators who perform backups, full access to data. Personnel with systems privileges can also turn off audit trails and erase or otherwise alter audit trail records. Systems support personnel have special access to database information because it is required in order for them to effectively do their jobs given the limitations of the current technology, the principle limitation being the absence of effective and efficient cryptographic security for the data in current database systems. Furthermore, it should be noted that when access controls are circumvented, e.g., by a computer hacker, once again the lack of cryptographic protection on a database puts the confidentiality of the data at risk.