| From: | Silvana Di Martino <silvanadimartino(at)tin(dot)it> |
|---|---|
| To: | Joe Conway <mail(at)joeconway(dot)com> |
| Cc: | Peter Galbavy <peter(dot)galbavy(at)knowtion(dot)net>, pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: Database Encryption (now required by law in Italy) |
| Date: | 2004-03-08 22:43:37 |
| Message-ID: | 200403082219.06167.silvanadimartino@tin.it |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Alle 17:29, lunedì 8 marzo 2004, Joe Conway ha scritto:
> Silvana Di Martino wrote:
> > Oracle has a built-in feature for encrypting/decrypting this password's
> > password.
>
> Right, and this master password is only protected because Oracle is
> closed source. It is not possible to do the same thing with Postgres
> because you could find the master key (or the algorithm to produce it)
> in the source code.
>
> However this amounts to "security by obscurity", and anyone serious
> about encryption will tell you it is insufficient. There is no way to
> have cryptographically sound protection of your data using a key
> embedded in the software like that.
Right. I completely agree. The only way to implement such a mechanism in a
open source product is to keep the password away from the RDBMS host. See my
previous messages for a plausible scenario.
See you
-----------------------------------------
Alessandro Bottoni and Silvana Di Martino
alessandrobottoni(at)interfree(dot)it
silvanadimartino(at)tin(dot)it
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Christopher Browne | 2004-03-08 23:51:56 | Re: HIPAA |
| Previous Message | Silvana Di Martino | 2004-03-08 22:43:12 | Re: Article on DB encryption |