Re: security question

From: "Jan Muszynski" <postgres(at)jancm(dot)org>
To: Ron Johnson <ron(dot)l(dot)johnson(at)cox(dot)net>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: security question
Date: 2007-01-22 16:25:37
Message-ID: 45B49F31.19108.C578AC@postgres.jancm.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On 22 Jan 2007 at 10:15, Ron Johnson wrote:

> On 01/22/07 09:55, Jan Muszynski wrote:
> > On 22 Jan 2007 at 16:10, Sim Zacks wrote:
> >
> >> How good is postgresql security? For example, If I have data
> >> that I do not anyone to see, including the programmer/dba, is
> >> it enough to change the password to the only user? If they have
> >> access to the raw files is there a way for them to somehow see
> >> the data? can they copy the files to another postgresql
> >> instance where they have rights and view the data?
> >>
> >> Basically, we have a requirement to put sensitive personnel
> >> information into the database, including salary etc. and we
> >> don't want any employees, including the dba to have a
> >> possibility of accessing it.
> >
> > You'll have to store the data encrypted. If you want to be
> > ultrasecure you should encrypt\decrypt on the client side.
> >
> > http://www.postgresql.org/docs/8.2/interactive/encryption-options.html
> >
> >
> > You can encrypt/decrypt server side using fynctions from the
> > contrib pgrypto module, but if you choose to do it that way then
> > the data is being transmitted in the clear between the client and
> > the server (unless you're using SSL). Even if using SSL the data
> > would be present on the server in unencrypted form both before it
> > gets stored, and after it gets decrypted and is being sent back
> > to the client. Any DBA etc would be able to intercept that data.
> > Not only that but the DBA would be able to intercept the key
> > being used to encrypt/decrypt the data (and thus be able to
> > decrypt the contents of the entire DB).
>
> Root, I can understand, but why would the DBA be able to intercept
> the key?

All he'd have to do is turn on logging for all SQL statements. In the log
files he'd find the key as it was transmitted from the client (necessary
if the client is entering the key and crypt functions are taking place
server side). I am assuming that DBA = database superuser in this
instance, and probably should have used the term superuser instead.

<snip>

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Peter Rosenthal 2007-01-22 16:32:20 Re: MSSQL/ASP migration
Previous Message Bruno Wolff III 2007-01-22 16:25:33 Re: Password encryption method