Re: Database level encryption

From: Andreas 'ads' Scherbaum <adsmail(at)wars-nicht(dot)de>
To: pgsql-admin(at)postgresql(dot)org
Subject: Re: Database level encryption
Date: 2010-04-08 08:52:49
Message-ID: 20100408105249.0523f772@platin.wars-nicht.de
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin


Hi Timothy,

On Wed, 7 Apr 2010 13:45:11 +0300 Timothy Madden wrote:

> On Wed, Apr 7, 2010 at 1:07 AM, Kevin Grittner
> <Kevin(dot)Grittner(at)wicourts(dot)gov> wrote:
> > Timothy Madden <terminatorul(at)gmail(dot)com> wrote:
> >
> [...]
> > But the server needs to read certain data from the database
> > directory in order to start.  In particular, WAL files need to be
> > read to get a clean start, and those can contain any data from the
> > database table.  Any or all tables may need to be accessed to get
> > the database to a consistent point on startup.  Plus there are all
> > the system catalogs, including the ones needed to authenticate
> > users.
>
> OK let's put the key logger issue aside from database encryption.

No, because that's one of the main problems.

If someone already goot root access on this laptop, he can snuff
keystrokes or the network traffic and capture all kind of passwords
(and other interesting information).

Basically your database, running on an unprivileged account, is only as
secure as the root account.

> I am willing to accept that the server may need to read the list of
> tables/schema-objects in the database, and some leftover data, in
> order to start, as long as the leftover data is immediately discarded
> upon start-up, and as long as it is likely that this data is not a
> large fraction of the data found in the database. It would still be
> nice if this check or clean-up could be delayed until such time some
> user really selects the database for use, and provides a password.

There's more:

- Vacuum reads whole memory pages, so any kind of encryption can only be
on row level.
- Analyze stores the most common values per column, so it must be able
to scan the columns without the password. Else the planer won't have
reasonable good data. In addition: the statistics data is stored in
system tables, so your password must apply here too.

Bye

--
Andreas 'ads' Scherbaum
German PostgreSQL User Group
European PostgreSQL User Group - Board of Directors
Volunteer Regional Contact, Germany - PostgreSQL Project

In response to

Browse pgsql-admin by date

  From Date Subject
Next Message Jens Wilke 2010-04-08 10:46:18 Re: Postgresql-8.4 won't boot at startup on 9.10
Previous Message Renato Oliveira 2010-04-08 08:40:58 Restore data to an existing populated table