Many encrypted databases systems adopt an architecture referred to as client-side encryption. With client-side encryption, data is encrypted on client machines, which are assumed to be secure and have access to all encryption keys. The encrypted data is then sent from clients to a database server where it is stored. Queries are issued by applications at the client and are rewritten by a database driver to encrypt query constants. The rewritten, encrypted queries are then sent to the server and executed. The server returns encrypted query results, which are in turn decrypted by the database driver at the client. In cases where hardware- and/or software-based trusted computing functionality is available to the server, some or all of the encrypted queries received by the server may be executed using that trusted computing functionality.