Re: crypting prosrc in pg_proc - Mailing list pgsql-hackers

From Hans-Juergen Schoenig
Subject Re: crypting prosrc in pg_proc
Date
Msg-id 97E13364-AB6F-45F9-A113-F84AD8B169DB@cybertec.at
Whole thread Raw
In response to Re: crypting prosrc in pg_proc  (Andrew Dunstan <andrew@dunslane.net>)
Responses Re: crypting prosrc in pg_proc  (Peter Eisentraut <peter_e@gmx.net>)
Re: crypting prosrc in pg_proc  (Andrew Dunstan <andrew@dunslane.net>)
Re: crypting prosrc in pg_proc  ("korry.douglas" <korry.douglas@enterprisedb.com>)
Re: crypting prosrc in pg_proc  (Zdenek Kotala <Zdenek.Kotala@Sun.COM>)
List pgsql-hackers
the idea is basically to hide codes - many companies want that and ask for it again and again.

i would suggest keys to reside in $PGDATA. we do this for SSL and so already.

initdb could create such keys so that they are unique to every database instance.
decrypting could be avoided as much as possible basically we should just decrypt on first all and when it changes.

for pg_dump i would suggest two options:
a.) pass the keys to dump in a decrypted way
b.) dump in encrypted way.

i would think that this is a quite valuable features. would be nice to have it.
maybe we can agree on a nice mechanism here which will be implemented then.

hans



On Aug 9, 2007, at 3:57 PM, Andrew Dunstan wrote:



Hans-Juergen Schoenig wrote:
hello everybody,

one of our customers wants to store the code of interpreted procedures (PL/pgSQL, PL/Perl) and so in an encrypted way.
so the idea we had to add one more column to pg_proc telling us whether prosrc is encrypted or not. people could chose then whether to crypt codes there or not (speed of decryption can be an issue).

should not be hard to implement ...

what do people think about this feature?



Perhaps you could give us a justification for it. Are you intending to have stored procs contain security sensitive information? Or is this an attempt to hide closed source code from prying eyes? Where would the encryption keys be stored? And how would it work with pg_dump?

This doesn't sound very well thought out, frankly.

cheers

andrew

---------------------------(end of broadcast)---------------------------
TIP 7: You can help support the PostgreSQL project by donating at




--
Cybertec Geschwinde & Schönig GmbH
Gröhrmühlgasse 26, 2700 Wiener Neustadt
Tel: +43/1/205 10 35 / 340
www.postgresql.at, www.cybertec.at


pgsql-hackers by date:

Previous
From: Andrew Dunstan
Date:
Subject: Re: crypting prosrc in pg_proc
Next
From: Peter Eisentraut
Date:
Subject: Re: crypting prosrc in pg_proc