Re: RFE: Transparent encryption on all fields - Mailing list pgsql-hackers

From tomas@tuxteam.de
Subject Re: RFE: Transparent encryption on all fields
Date
Msg-id 20090425051733.GB30912@tomas
Whole thread Raw
In response to Re: RFE: Transparent encryption on all fields  (Bill Moran <wmoran@potentialtech.com>)
Responses Re: RFE: Transparent encryption on all fields
List pgsql-hackers
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Apr 24, 2009 at 03:48:16PM -0400, Bill Moran wrote:
> In response to tomas@tuxteam.de:
> 

[...]

> > >                         It is generally much safer to keep keys and the
> > > decryption process on a separate server.
> > 
> > Or just client-side. Minimum spread of knowledge [...]

[...]

> Not true.  If each user has their own key, it's considerably more
> secure than encrypting the partition

That's definitely the advantage of this approach.
[...]

>                                       since it protects from through-
> application attacks as well as physically stolen hardware.

That depends which state the hardware is in when it's "stolen". If it's
quiescent, good. If it's running (that's what I was referring to with
"live"), the attacker will be able to troll the RAM for unlocked keys,
or whatever. Granted, with a per-user key only the keys of the users
currently "on line" will be compromised.

> Also, putting the key on the client machine causes the client machine to
> be an attack vector, and client machines are usually more numerous and
> more difficult to secure than servers.

Let's face it: once the attacker "has" the client machine, (s)he has
nearly won. watch all those trojans, keyloggers, whatever in action.
"Having" the client machine means a trojan can impersonate as the user
- -- game over (but at least only to the data this particular user has
access to).

Note that I'm not talking about stealing the hardware, but hijacking,
trojanizing, whatever. That's the real threat, in this
Javascript/Flash/Silverlight infested world.

Regards
- -- tomáss
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJ8pztBcgs9XrR2kYRAnWrAJ9Q1TEYlm1M/ipGb+EEyW0AY3vQ0gCeIwCE
qta1Q0oAv8bYHsHQHgHO16s=
=OTTh
-----END PGP SIGNATURE-----


pgsql-hackers by date:

Previous
From: tomas@tuxteam.de
Date:
Subject: Re: RFE: Transparent encryption on all fields
Next
From: Grzegorz Jaskiewicz
Date:
Subject: Re: HashJoin w/option to unique-ify inner rel