I've done several projects in the past were I've encrypted content (both text and files) to be stored in the database or on the server. In these cases, the data is truly encrypted and, if someone were to access just the database, or download the encrypted files they would be unreadable.
Unfortunately, encryption is only a small *part* of security, and I'd be hesitant to call any of these encrypted projects "secure." The code they encrypts and also decrpts lives on the webserver, along with the keys. So anyone compromising the web host could theoretically access any of the data and simply decrypt it themselves; likely even using the tools built right into the site.
So what's the answer?
I've been struggling to google the best practice, I'm probably just using the wrong search terms. Most of the solutions I've seen don't really address the need to be able to encrypt and decrypt the information in real-time through the website. (say, for example, I want to store a user's e-mail address encrypted, but at another time the site needs to send that user a transactional e-mail)
Thoughts?