Motivated by the ”database-as-service ” paradigm wherein data owned by a client is hosted on a third-party server, there is significant interest in secure query evaluation over encrypted databases. We consider this problem for XML databases. We consider an attack model where the attacker may possess exact knowledge about the domain values and their occurrence frequencies, and we wish to protect sensitive structural information as well as value associations. We capture such security requirements using a novel notion of security constraints. For security reasons, sensitive parts of the hosted database are encrypted. There is a tension between data security and efficiency of query evaluation for different granularities of encryption. We show that finding an optimal, secure encryption scheme is NP-hard. For speeding up query processing, we propose to keep metadata, consisting of structure and value indices, on the server. We want to prevent the server, or an attacker who gains access to the server, from learning sensitive information in the database. We propose security properties for such a hosted XML database system to satisfy and prove that our proposal satisfies these properties. Intuitively, this means the attacker cannot improve his prior belief probability distribution about which candidate database led to the given encrypted database, by looking at the encrypted database as well as the metadata. We also prove that by observing a series of queries and their answers, the attacker cannot improve his prior belief probability distribution over which sensitive queries (structural or value associations) hold in the hosted database. Finally, we demonstrate with a detailed set of experiments that our techniques enable efficient query processing while satisfying the security properties defined in the paper. 1.