Re: RFE: Transparent encryption on all fields

From: tomas(at)tuxteam(dot)de
To: Bill Moran <wmoran(at)potentialtech(dot)com>
Cc: tomas(at)tuxteam(dot)de, Marc Munro <marc(at)bloodnok(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: RFE: Transparent encryption on all fields
Date: 2009-04-25 05:17:33
Message-ID: 20090425051733.GB30912@tomas
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Apr 24, 2009 at 03:48:16PM -0400, Bill Moran wrote:
> In response to tomas(at)tuxteam(dot)de:
>

[...]

> > > It is generally much safer to keep keys and the
> > > decryption process on a separate server.
> >
> > Or just client-side. Minimum spread of knowledge [...]

[...]

> Not true. If each user has their own key, it's considerably more
> secure than encrypting the partition

That's definitely the advantage of this approach.
[...]

> since it protects from through-
> application attacks as well as physically stolen hardware.

That depends which state the hardware is in when it's "stolen". If it's
quiescent, good. If it's running (that's what I was referring to with
"live"), the attacker will be able to troll the RAM for unlocked keys,
or whatever. Granted, with a per-user key only the keys of the users
currently "on line" will be compromised.

> Also, putting the key on the client machine causes the client machine to
> be an attack vector, and client machines are usually more numerous and
> more difficult to secure than servers.

Let's face it: once the attacker "has" the client machine, (s)he has
nearly won. watch all those trojans, keyloggers, whatever in action.
"Having" the client machine means a trojan can impersonate as the user
- -- game over (but at least only to the data this particular user has
access to).

Note that I'm not talking about stealing the hardware, but hijacking,
trojanizing, whatever. That's the real threat, in this
Javascript/Flash/Silverlight infested world.

Regards
- -- tomáss
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJ8pztBcgs9XrR2kYRAnWrAJ9Q1TEYlm1M/ipGb+EEyW0AY3vQ0gCeIwCE
qta1Q0oAv8bYHsHQHgHO16s=
=OTTh
-----END PGP SIGNATURE-----

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Grzegorz Jaskiewicz 2009-04-25 10:42:37 Re: HashJoin w/option to unique-ify inner rel
Previous Message tomas 2009-04-25 04:52:41 Re: RFE: Transparent encryption on all fields