Re: Looking for advice on database encryption - Mailing list pgsql-general

From Bill Moran
Subject Re: Looking for advice on database encryption
Date
Msg-id 20090416204017.01b260ae.wmoran@potentialtech.com
Whole thread Raw
In response to Re: Looking for advice on database encryption  ("Will Rutherdale (rutherw)" <rutherw@cisco.com>)
List pgsql-general
"Will Rutherdale (rutherw)" <rutherw@cisco.com> wrote:
>
> Couldn't you just add a PGP based column (or similar encryption
> protocol) for authentication?  This would protect you against injection
> attacks, would it not?
>
> You could also use PGP or similar for key management if I'm not
> mistaken.

Thanks for the input, Will.  We're already doing this, the problem we've
had is that the time to decrypt the data is making access too slow.

Basically, people administrators need to be able to say, "show me all the
registrants whose personal medical information is x" and get results in
a reasonable amount of time.  Decrypting the data to do the matching is
about 100x slower than a typical seq scan.

To give you an idea of what we've tried, I've tried pgcrypto, openssl with
rc4, des and 3des, using envelope encryption, and raw aes-128 symmetrical
encryption.  In addition, we've purchased two different hardware
accelerators for crypto to find that both of them are slower than the
CPU itself, and they're both the high-end "enterprise" class cards.

--
Bill Moran
http://www.potentialtech.com

pgsql-general by date:

Previous
From: Eric Soroos
Date:
Subject: Re: Looking for advice on database encryption
Next
From: Bill Moran
Date:
Subject: Re: Looking for advice on database encryption