Re: Looking for advice on database encryption

From: Bill Moran <wmoran(at)potentialtech(dot)com>
To: "Will Rutherdale (rutherw)" <rutherw(at)cisco(dot)com>
Cc: <pgsql-general(at)postgresql(dot)org>
Subject: Re: Looking for advice on database encryption
Date: 2009-04-17 00:40:17
Message-ID: 20090416204017.01b260ae.wmoran@potentialtech.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

"Will Rutherdale (rutherw)" <rutherw(at)cisco(dot)com> wrote:
>
> Couldn't you just add a PGP based column (or similar encryption
> protocol) for authentication? This would protect you against injection
> attacks, would it not?
>
> You could also use PGP or similar for key management if I'm not
> mistaken.

Thanks for the input, Will. We're already doing this, the problem we've
had is that the time to decrypt the data is making access too slow.

Basically, people administrators need to be able to say, "show me all the
registrants whose personal medical information is x" and get results in
a reasonable amount of time. Decrypting the data to do the matching is
about 100x slower than a typical seq scan.

To give you an idea of what we've tried, I've tried pgcrypto, openssl with
rc4, des and 3des, using envelope encryption, and raw aes-128 symmetrical
encryption. In addition, we've purchased two different hardware
accelerators for crypto to find that both of them are slower than the
CPU itself, and they're both the high-end "enterprise" class cards.

--
Bill Moran
http://www.potentialtech.com

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Bill Moran 2009-04-17 00:42:08 Re: Looking for advice on database encryption
Previous Message Bill Moran 2009-04-17 00:29:01 Re: Looking for advice on database encryption