Re: Database level encryption - Mailing list pgsql-admin

From Chris Browne
Subject Re: Database level encryption
Date
Msg-id 87iq833x9g.fsf@ca.afilias.info
Whole thread Raw
In response to Database level encryption  (Timothy Madden <terminatorul@gmail.com>)
List pgsql-admin
terminatorul@gmail.com (Timothy Madden) writes:
> Andreas 'ads' Scherbaum <adsmail@wars-nicht.de> wrote:
>
>> If someone captures the machine the bad guy can install a network
>> sniffer and steal the database passwords upon connect.
>
> I think protecting against a keylogger is a different issue than
> database encryption. Is this why database encryption is "not needed"
> for PostgreSQL, as people here say ?

No, the nuance is a bit different.

It's not that "database encryption is not needed" - it's rather that
"database encryption doesn't usefully protect against a terribly
interesting set of attacks."

When we think through the scenarios, while encrypting the whole database
might seemingly protect against *some* attacks, that's not enough of the
story:

 - There are various classes of attacks that it doesn't help one bit
   with.

 - In order to have the database accessible to the postmaster process,
   there needs to be a copy of the decryption key on that machine,
   and it is surprisingly difficult to protect that key from someone
   who has physical access to the machine.

This has the result that people are inclined to suggest that encrypting
the whole database mayn't actually be a terribly useful technique in
practice.
--
Know how to blow any problem up into insolubility.  Know how to use the
phrase "The new ~A system" to insult its argument, e.g., "I guess this
destructuring LET thing is fixed in the new Lisp system", or better yet,
PROLOG.  -- from the Symbolics Guidelines for Sending Mail

pgsql-admin by date:

Previous
From: Greg Smith
Date:
Subject: Re: turn pitr 'on' on PostgreSQL 8.2 - pg_standby
Next
From: Scott Marlowe
Date:
Subject: Re: Database level encryption