Re: Database level encryption

terminatorul(at)gmail(dot)com (Timothy Madden) writes:
> Andreas 'ads' Scherbaum <adsmail(at)wars-nicht(dot)de> wrote:
>
>> If someone captures the machine the bad guy can install a network
>> sniffer and steal the database passwords upon connect.
>
> I think protecting against a keylogger is a different issue than
> database encryption. Is this why database encryption is "not needed"
> for PostgreSQL, as people here say ?

No, the nuance is a bit different.

It's not that "database encryption is not needed" - it's rather that
"database encryption doesn't usefully protect against a terribly
interesting set of attacks."

When we think through the scenarios, while encrypting the whole database
might seemingly protect against *some* attacks, that's not enough of the
story:

- There are various classes of attacks that it doesn't help one bit
with.

- In order to have the database accessible to the postmaster process,
there needs to be a copy of the decryption key on that machine,
and it is surprisingly difficult to protect that key from someone
who has physical access to the machine.

This has the result that people are inclined to suggest that encrypting
the whole database mayn't actually be a terribly useful technique in
practice.
--
Know how to blow any problem up into insolubility. Know how to use the
phrase "The new ~A system" to insult its argument, e.g., "I guess this
destructuring LET thing is fixed in the new Lisp system", or better yet,
PROLOG. -- from the Symbolics Guidelines for Sending Mail