All depends on how secure you want to be in the event of a hostile network penetration.
If the answer is “very”, consider using a key management solution — either software (I like Hashicorp Vault) or
dedicatedHSM hardware from someone like Gemalto or Thales.
Having the key on a separate server doesn’t help if the application server is compromised.
Cheers,
Evan
Sent from my iPhone
> On Oct 24, 2018, at 05:00, Stéphane KANSCHINE <stephane@hexack.fr> wrote:
>
>
> Hi,
>
> Le mer. 24 oct., vers 08:27, Anjul Tyagi exprimait :
>>
>> We are implementing the pgcrypto in our database to encrypt and decrypt the
>> Column data. for testing purpose we have generate the PGP public / private
>> key and use those when we read and write data.
>>
>> How can we secure the key, if we keep the key outside how can we use that
>> into query.
>
> We keep the private key on the app server. It communicates with postgres
> through SSL and postgres logs aren't too verbose in order to avoid key
> exposition.
>
> If there's a better way, i'm curious of it.
>
> Regards,
> --
> Stéphane KANSCHINE - https://www.hexack.fr./ - https://www.nuajik.io./
> @ stephane@hexack.fr
> +33 6 64 31 72 52
>
