> but if I perform the encryption at the application level instead the data will be encrypted during the transfer to and from the database.
This is true, but this is true for communicating to your database with TLS as well.
I don’t think there is any already implemented support for encrypting content to the relational database from CUBA or any other web app full stack framework. The reason for that is that this is a pretty rare case. You can do it on your own with something like the Java cryptographic extensions (JCE) and a common implementation lib Bouncy castle).
This would mean that you will before a certain entity is stored you have to replace the content of the object with the encrypted one and when the data is loaded, you do the reverse.
> but wish to secure the database information in the event that the database gets compromised.
Well, there is the underlying security architecture problem with your approach i think. So you assume that your DB server gets compromised. Ok, so the first thing to do would be to secure it in a way i described above. But let’s assume you don’t trust your DB instance nontheless, because you think it can be hacked, what makes you think that your tomcat instances can’t or at least there is a smaller likelihood that this situation will occur?
The problem with the above described JCE approach (let’s assume you do a symmetric encryption like AES), is that you have to store the secret key somewhere (at least you don’t take this stuff really seriously with something like Hashicorp vault.
So when you think of a scenario where you get hacked and it is not a general use of a security vulnerability, so your application gets picked before and because of any content of the app, then it will actually just be another indirection. Because the tomcat can get hacked as well and the secret key can get be taken to decrypt your data. So basically it would be security by obscurity.
The downside of that would be that you can’t use a lot of features of a relational database any longer. Take a date column for example: If the DB schema assumes you can only store dates in this column, how would you be able to insert encrypted dates into it? What would it look like? For a string column it would be possible, but nontheless, you will lose a lot of the query capabilities. It is not possible any longer to define a search query that says: select e from customer e where e.name like ‘%mario%’, because the DB will not know how to compare stuff with encrypted strings.
You can do that, but i would suggest to really think about what you want to achieve before encrypting the content and explore alternative solutions that might fit your needs like the described above.