Re: Database level encryption - Mailing list pgsql-admin

From Joe Conway
Subject Re: Database level encryption
Date
Msg-id 4BB774D4.3070306@joeconway.com
Whole thread Raw
In response to Database level encryption  (Timothy Madden <terminatorul@gmail.com>)
Responses Re: Database level encryption
List pgsql-admin
On 04/03/2010 06:35 AM, Timothy Madden wrote:
> I can only see how PostgreSQL encrypts the password or the connection
> in the documentation, and for the database I can see application-level
> encryption with pgcrypto (and filesystem level encryption), How could
> I get database level encryption in PostgreSQL ?

This is an extremely broad question, and you have barely begun to
provide enough information to answer it. For starters:

1. What is your threat scenario?
   a) The physical machine is stolen
   b) A database dump is stolen
   c) Someone roots your system
   d) Someone compromises your application, via SQL injection, etc

2. What data needs to be encrypted?
   a) All columns of all tables
   b) Selected columns of selected tables

3. Do you need to be able to search or sort on any of the encrypted
   columns?

4. Is your password stored somewhere on the hardware, or is it entered
   by a human every time the application starts?

5. Do you want a single password for all data access, or is the
   encryption by user or some other segmentation?

6. Is brute-force cracking of the password a concern? Will your
   application shut down repeated failed attempts?

There is no magic bullet. This requires careful thought, analysis, and
trade-offs.

Joe


Attachment

pgsql-admin by date:

Previous
From: Timothy Madden
Date:
Subject: Database level encryption
Next
From: Nilesh Govindarajan
Date:
Subject: Execute VACUUM FULL when DB touches a specific size ?