On Thu, May 20, 2010 at 09:33:23PM -0500, Peter Hunsberger wrote:
> On Thu, May 20, 2010 at 8:03 PM, Richard Walker <richard@softimp.com.au> wrote:
> > If the hacker gets root access so they can read
> > the raw database files, they most likely also
> > have access to the means to decrypt any
> > encrypted data. This is particularly so if
> > the database updates are being done by stored
> > procedures.
>
> Only if they also get at the keys.
It's very difficult (with a conventional OS) to remove the *entirety* of
the server hardware and software from the TCB. Hence you should assume
that if PG ever sees a key it's also possible for an attacker to see the
same key.
The options are pretty much do all crypto away from the database server
(either client side, or on another server that you can trust) or you
have to trust (also in the technical sense) the database server itself
and things become greatly simplified.
> > If encryption/decryption happens
> > on a separate (not-also-compromised) client,
> > then OK. Do you know of a way to deal with
> > this if the application is on the same computer
> > as the database?
>
> Can you use an external key store?
How does this help? if the database has been compromised, what would
stop the attacker from inserting some code that records the responses
from this "external key store"?
--
Sam http://samason.me.uk/
