I am trying to find the best approach regarding encryption of customer information in the commerce database (name, email, phone number, shipping address, billing address)?
Basically, someone owning a backup of the commerce database should not be allowed to acess any customer information.
For the first question, Commerce database can use SQL Server encryption to encrypt/decrypt data. One example is the CreditCard information, which is encrypted by default.
Unfortunately, use encryption means your database will not be Azure - compatible (because SQL Azure does not support encryption), and there's no easy way to indicate a specific customer information is encrypted (Which is unlike the encryption option for metafield, you only need to turnon the value when you create it).
I think the simpler way for you is to extend CustomerContact class and use encryption in Application level, instead of use database-level encryption.
Thank you for your response. I was also thinking about using the application level encryption, though I was wondering whether EPiServer offers any support (aside from the metafield encryption).
You could use the MachineKey.Protect() method for this.