Postgres Pro
Downloads
Home   >   mailing lists

Re: Regd. the Implementation of Wallet (in Oracle) config equivalent in postgreSQL whilst the database migration - Mailing list pgsql-general

From Rainer Duffner
Subject Re: Regd. the Implementation of Wallet (in Oracle) config equivalent in postgreSQL whilst the database migration
Date
Msg-id 08F69776-6702-41F4-ACA5-CABF74CFE115@ultra-secure.de
Whole thread Raw
In response to Re: Regd. the Implementation of Wallet (in Oracle) config equivalent in postgreSQL whilst the database migration  ("Peter J. Holzer" <hjp-pgsql@hjp.at>)
Responses Re: Regd. the Implementation of Wallet (in Oracle) config equivalent in postgreSQL whilst the database migration
Re: Regd. the Implementation of Wallet (in Oracle) config equivalent in postgreSQL whilst the database migration
List pgsql-general
Tree view


Am 22.12.2022 um 10:46 schrieb Peter J. Holzer <hjp-pgsql@hjp.at>:

If the hacker has root access: What prevents them from talking to the
HSM?


I wasn’t involved in setting it up here, but AFAIK you need to „enroll“ the client to the HSM.

That is a one-time process that requires HSM credentials (via certificates and pass-phrases).

Then, that client can talk to the HSM. 

The HSM-client is (or should be) engineered in such a way that you can’t extract the encryption-secret easily.

I am not sure, but IIRC, you should not even be able to clone the VM without the HSM noticing or the clone not working at all to begin with (for lack of enrollment). Though most production databases are too large to just „clone“.

Maybe someone who knows more about this subject can chime in before I make a fool of myself?
;-)




Rainer

pgsql-general by date:

Previous
From: "Peter J. Holzer"
Date:
Subject: Re: Regd. the Implementation of Wallet (in Oracle) config equivalent in postgreSQL whilst the database migration
Next
From: hamann.w@t-online.de
Date:
Subject: trouble writing plpgsql