Doug McNaught wrote:
> David Blewett <david@dawninglight.net> writes:
>
> > In reading the documentation of Peter Gutmann's Cryptlib, I came
> > across this section:
> > "The use of crypto devices can also complicate key management, since
> > keys generated or loaded into the device usually can't be extracted
> > again afterwards. This is a security feature that makes external
> > access to the key impossible, and works in the same way as cryptlib's
> > own storing of keys inside it's security perimeter. This means that if
> > you have a crypto device that supports (say) DES and RSA encryption,
> > then to export an encrypted DES key from a context stored in the
> > device, you need to use an RSA context also stored inside the device,
> > since a context located outside the device won't have access to the
> > DES context's key."
> >
> > I'm not familiar with how his library protects keys, but this suggests
> > that it would be possible to use it as a basis for transparent
> > encryption.
>
> He's talking about hardware crypto devices, which most systems don't
> have (though they're certainly available). If you don't have one of
> those, then the key has to be stored in system memory.
FYI, we do have a general encryption documentation section:
http://www.postgresql.org/docs/8.1/static/encryption-options.html
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
