Timothy Madden <terminatorul(at)gmail(dot)com> wrote:
> The machine does not have internet
It would be very unusual for a machine never to be connected to a
network which has Internet access, at least for periodic OS updates
or to get new versions of the database or software. But OK, if you
say they are never, ever connected to networks with Internet
connections, I guess the bad guy would need to access the machine
*twice* to get the password off of it and compromise the data. You
still haven't suggested any reason that this would be more secure
than an encrypted mount-point combined with aggressive idle-time
lockup, though.
> it will not be trivial for the bad guy to install anything there.
Well, if you set up security properly, it wouldn't be trivial for a
bad guy to copy the database off the machine under the pending
login, if they got hold of it while it was running, unless someone
left it running under the root login. Personally, I wouldn't give
the password for that login to anyone who was going to be carrying
the laptop into the field.
> And my idea is exactly that the database is inaccessible, even if
> the server starts.
But the server needs to read certain data from the database
directory in order to start. In particular, WAL files need to be
read to get a clean start, and those can contain any data from the
database table. Any or all tables may need to be accessed to get
the database to a consistent point on startup. Plus there are all
the system catalogs, including the ones needed to authenticate
users.
-Kevin