Re: Data Encryption

From: "Sandeep Agarwal" <sandeepagarwal(dot)1980(at)gmail(dot)com>
To: "Michael Fuhr" <mike(at)fuhr(dot)org>
Cc: pgsql-novice(at)postgresql(dot)org
Subject: Re: Data Encryption
Date: 2007-03-29 10:55:48
Message-ID: 7e507c800703290355m4364243fq7c223df09028aab5@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-novice

On 3/29/07, Michael Fuhr <mike(at)fuhr(dot)org> wrote:
> On Thu, Mar 29, 2007 at 01:56:34PM +0530, Sandeep Agarwal wrote:
> > i am new to postgres and am puzzled how to solve the untrusted admin
> > problem.
> >
> > i am having very sensitive data (accounts and payroll) on postgresql
> > server. the goal i want to achive is that even the sys. admin/database
> > admin. should be able to read the data. i understand that the solution
> > lies in encrypting the fields.
>
> Do you mean that "even the sys. admin/database admin. should NOT
> be able to read the data"? If so then you must perform encryption
> and decryption on a secure machine to which only trusted personnel
> have access. Assume that admins can read all memory, swap space,
> files, and network connections and can trace any process on the
> system.

thanks for the suggestion

> If your threat model includes untrusted admins then also consider
> what kind of responsibility the admins have over the data even if
> they can't read it. Do you trust them not to manipulate, destroy,
> or otherwise render the data unrecoverable, either intentionally
> or accidentally? Do you have a way of ensuring the safety, integrity,
> and availability of the backups those admins will be performing?

yes i can trust the admin that they will not alter / destroy the data.

> > the fields i would like to encrypt are numeric. according to my
> > understanding SQL queirues in the application will fail due to this.
> > is it possible to accomplish this task ?
>
> The PostgreSQL documentation discusses encryption options:
>
> http://www.postgresql.org/docs/8.2/interactive/encryption-options.html
>
> As "Client-Side Encryption" says, if you don't trust the admins
> then you'll need to encrypt the data before it reaches the database.
>
> > i am using postgres 8.1, its a perl based application running on apache.
>
> If you're responsible for "very sensitive data" then consider hiring
> a security expert. Security is easy to get wrong; the strongest
> encryption algorithms are worthless if misused or if used properly
> in an unsecure environment.
>
> "The world is full of bad security systems designed by people who
> have read _Applied Cryptography_."[1]
>
> [1] Niels Ferguson and Bruce Schneier quoting an unnamed source in
> _Practical Cryptography_, p 382.
>
> --
> Michael Fuhr
>

In response to

Browse pgsql-novice by date

  From Date Subject
Next Message nhrcommu 2007-03-29 11:15:29 Re: Data Encryption
Previous Message Michael Fuhr 2007-03-29 10:44:21 Re: Data Encryption