| From: | Rainer Duffner <rainer(at)ultra-secure(dot)de> |
|---|---|
| To: | Benedict Holland <benedict(dot)m(dot)holland(at)gmail(dot)com> |
| Cc: | Ron <ronljohnsonjr(at)gmail(dot)com>, pgsql-general <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Regd. the Implementation of Wallet (in Oracle) config equivalent in postgreSQL whilst the database migration |
| Date: | 2022-12-22 08:17:18 |
| Message-ID: | 807557F0-F4F0-496A-B4B6-B043F8408A5B@ultra-secure.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
> Am 22.12.2022 um 00:57 schrieb Benedict Holland <benedict(dot)m(dot)holland(at)gmail(dot)com>:
>
> Like, does oracle give you something more? Probably. It's also a ton of money and I mean a geuine ton. At that point, you also need security audits, security protocols, requirements, backup and retention policies, and redundancy key locations. If someone has root, I don't know how they also don't have your encryption keys.
They are not on the same box. They are in a HSM. A dedicated piece of tamper-proof hardware that stores secrets (keys).
The Oracle-server needs to talk to the HSM to get the keys.
This is not a low-budget setup (well, it’s Oracle…) - rather, it’s for when the data is really very valuable so that the cost for redundant HSMs, Oracle, Data Guard etc.pp. is still lower than the value of the data.
OP works for an outfit that typically does outsourcing for these kinds of clients.
It’s all about having more degrees of separation between different functions, so you don’t have to trust the single, Dennis-Nedry-type of admin to not sell the information in the database to the highest bidder.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter J. Holzer | 2022-12-22 09:46:22 | Re: Regd. the Implementation of Wallet (in Oracle) config equivalent in postgreSQL whilst the database migration |
| Previous Message | Andreas Kretschmer | 2022-12-22 07:41:06 | Re: pg_wal directory max size |