| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Nico Williams <nico(at)cryptonector(dot)com> |
| Cc: | Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com>, "Moon, Insung" <Moon_Insung_i3(at)lab(dot)ntt(dot)co(dot)jp>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Joe Conway <mail(at)joeconway(dot)com> |
| Subject: | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |
| Date: | 2018-06-20 21:16:46 |
| Message-ID: | 20180620211646.GF17551@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Jun 18, 2018 at 12:29:57PM -0500, Nico Williams wrote:
> On Mon, Jun 11, 2018 at 06:22:22PM +0900, Masahiko Sawada wrote:
> > As per discussion at PGCon unconference, I think that firstly we need
> > to discuss what threats we want to defend database data against. If
>
> We call that a threat model. There can be many threat models, of
> course.
>
> > user wants to defend against a threat that is malicious user who
> > logged in OS or database steals an important data on datbase this
> > design TDE would not help. Because such user can steal the data by
> > getting a memory dump or by SQL. That is of course differs depending
> > on system requirements or security compliance but what threats do you
> > want to defend database data against? and why?
>
> This design guards (somewhat) againts the threat of the storage theft
> (e.g., because the storage is remote). It's a fine threat model to
> address, but it's also a lot easier to address in the filesystem or
> device drivers -- there's no need to do this in PostgreSQL itself except
> so as to support it on all platforms regardless of OS capabilities.
>
> Note that unless the pg_catalog is protected against manipulation by
> remote storage, then TDE for user tables might be possible to
> compromise. Like so: the attacker manipulates the pg_catalog to
> escalate privelege in order to obtain the TDE keys. This argues for
> full database encryption, not just specific tables or columns. But
> again, this is for the threat model where the storage is the threat.
Yes, one big problem with per-column encryption is that administrators
can silently delete data, though they can't add or modify it.
> Another similar thread model is dump management, where dumps are sent
> off-site where untrusted users might read them, or even edit them in the
> hopes that they will be used for restores and thus compromise the
> database. This is most easily addressed by just encrypting the backups
> externally to PG.
>
> Threat models where client users are the threat are easily handled by
> PG's permissions system.
>
> I think any threat model where DBAs are not the threat is just not that
> interesting to address with crypto within postgres itself...
Yes, but in my analysis the only solution there is client-side
encryption:
http://momjian.us/main/writings/crypto_hw_use.pdf#page=97
You might want to look at the earlier slides too.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Nico Williams | 2018-06-20 21:57:18 | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |
| Previous Message | Bruce Momjian | 2018-06-20 21:12:38 | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |