Re: [GENERAL] Securing Information - Mailing list pgsql-general

If you're storing HIPAA data and/or PII then just make sure it's encrypted at rest. We just did this at my workplace by using full disk encryption on the disk which stores the DB files.
That may not be the best solution, but it appears to work well enough.

data really should be encrypted at the end point it originates and only decrypted at the end point where its used.    yes, this presents all sorts of annoying issues for everything in between, but anything less is false security.

the problem with full disk encryption, as long as the volume is mounted, the data is visible as the encryption keys are loaded at boot or mount time.  the only threat model FDE protects against is physical theft of the server.

-- 
john r pierce, recycling bits in santa cruz