Thread: database file encryption

database file encryption

From
"Stefano B."
Date:
Hi all,
 
I have just discovered that in postgres database file the data are not encrypted. If I open with a text editor these files I can read the records values.
 
I'd like to know if there is a way in order to encrypt these data.
 
PS. for example in mysql the database file are not readable.
Thanks ad advance.
Stefano

Re: database file encryption

From
Martijn van Oosterhout
Date:
On Fri, Aug 11, 2006 at 09:47:49AM +0200, Stefano B. wrote:
> Hi all,
>
> I have just discovered that in postgres database file the data are
> not encrypted. If I open with a text editor these files I can read
> the records values.
>
> I'd like to know if there is a way in order to encrypt these data.

Sure, run postgres over an encrypted filesystem.

> PS. for example in mysql the database file are not readable.

Odd, I just opened a random mysql file here in a text editor and I
could read the strings just fine.

Have a nice day,
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.

Attachment

Re: database file encryption

From
Christopher Browne
Date:
Martha Stewart called it a Good Thing when kleptog@svana.org (Martijn van Oosterhout) wrote:
> On Fri, Aug 11, 2006 at 09:47:49AM +0200, Stefano B. wrote:
>> Hi all,
>>
>> I have just discovered that in postgres database file the data are
>> not encrypted. If I open with a text editor these files I can read
>> the records values.
>>
>> I'd like to know if there is a way in order to encrypt these data.
>
> Sure, run postgres over an encrypted filesystem.

Actually, that may not work the way you think it does...

As long as the encrypted filesystem is mounted, you can access the
unencrypted data

>> PS. for example in mysql the database file are not readable.
>
> Odd, I just opened a random mysql file here in a text editor and I
> could read the strings just fine.

The method that consistently works is to encrypt the data before
putting it in the database so that the DBMS is unaware of what the
plaintext form is...
--
output = reverse("moc.liamg" "@" "enworbbc")
http://linuxdatabases.info/info/slony.html
"Linux:  the  operating  system  with  a CLUE...   Command  Line  User
Environment".  (seen in a posting in comp.software.testing)

Re: database file encryption

From
Martijn van Oosterhout
Date:
On Fri, Aug 11, 2006 at 08:52:32AM -0400, Christopher Browne wrote:
> >> I'd like to know if there is a way in order to encrypt these data.
> >
> > Sure, run postgres over an encrypted filesystem.
>
> Actually, that may not work the way you think it does...
>
> As long as the encrypted filesystem is mounted, you can access the
> unencrypted data

Sure. However, it was only asked if the data could be encrypted. My
point was that the OP needs to decide what the actual problem is and
then they can evaluate what are acceptable solutions.

Asking about encrypted files first is putting the cart before the horse.

> The method that consistently works is to encrypt the data before
> putting it in the database so that the DBMS is unaware of what the
> plaintext form is...

Sure, but now you've thought about the attack vectors and what's
important...

Have a nice day,
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.

Attachment

Re: database file encryption

From
Chris Browne
Date:
kleptog@svana.org (Martijn van Oosterhout) writes:
> On Fri, Aug 11, 2006 at 08:52:32AM -0400, Christopher Browne wrote:
>> >> I'd like to know if there is a way in order to encrypt these data.
>> >
>> > Sure, run postgres over an encrypted filesystem.
>>
>> Actually, that may not work the way you think it does...
>>
>> As long as the encrypted filesystem is mounted, you can access the
>> unencrypted data
>
> Sure. However, it was only asked if the data could be encrypted. My
> point was that the OP needs to decide what the actual problem is and
> then they can evaluate what are acceptable solutions.
>
> Asking about encrypted files first is putting the cart before the
> horse.
>
>> The method that consistently works is to encrypt the data before
>> putting it in the database so that the DBMS is unaware of what the
>> plaintext form is...
>
> Sure, but now you've thought about the attack vectors and what's
> important...

Indeed.

In effect, that means that the important question wasn't asked, namely
"What kind or kinds of attacks do we wish to protect against?"

> Have a nice day,

Trying...
--
"cbbrowne","@","acm.org"
http://www3.sympatico.ca/cbbrowne/spreadsheets.html
Coming  Soon  to a  Mainframe  Near  You!   MICROS~1 Windows  NT  6.0,
complete with VISUAL JCL...