On 22 Jan 2007 at 16:10, Sim Zacks wrote:
> How good is postgresql security?
> For example, If I have data that I do not anyone to see, including the programmer/dba, is it enough
> to change the password to the only user?
> If they have access to the raw files is there a way for them to somehow see the data?
> can they copy the files to another postgresql instance where they have rights and view the data?
>
> Basically, we have a requirement to put sensitive personnel information into the database, including
> salary etc. and we don't want any employees, including the dba to have a possibility of accessing it.
You'll have to store the data encrypted. If you want to be ultrasecure you
should encrypt\decrypt on the client side.
http://www.postgresql.org/docs/8.2/interactive/encryption-options.html
You can encrypt/decrypt server side using fynctions from the contrib
pgrypto module, but if you choose to do it that way then the data is being
transmitted in the clear between the client and the server (unless you're
using SSL). Even if using SSL the data would be present on the server in
unencrypted form both before it gets stored, and after it gets decrypted
and is being sent back to the client. Any DBA etc would be able to
intercept that data. Not only that but the DBA would be able to intercept
the key being used to encrypt/decrypt the data (and thus be able to
decrypt the contents of the entire DB).
The only way to absolutely prevent this from happening is to
encrypt/decrypt locally on the client side.
This is not a PostgreSQL limitation, it would be true of any DB out there.
-jan
