Re: Page-Level Encryption

From: Doug McNaught <doug(at)mcnaught(dot)org>
To: David Blewett <david(at)dawninglight(dot)net>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Page-Level Encryption
Date: 2006-01-20 21:32:58
Message-ID: 87wtguoa9h.fsf@asmodeus.mcnaught.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

David Blewett <david(at)dawninglight(dot)net> writes:

> In reading the documentation of Peter Gutmann's Cryptlib, I came
> across this section:
> "The use of crypto devices can also complicate key management, since
> keys generated or loaded into the device usually can't be extracted
> again afterwards. This is a security feature that makes external
> access to the key impossible, and works in the same way as cryptlib's
> own storing of keys inside it's security perimeter. This means that if
> you have a crypto device that supports (say) DES and RSA encryption,
> then to export an encrypted DES key from a context stored in the
> device, you need to use an RSA context also stored inside the device,
> since a context located outside the device won't have access to the
> DES context's key."
>
> I'm not familiar with how his library protects keys, but this suggests
> that it would be possible to use it as a basis for transparent
> encryption.

He's talking about hardware crypto devices, which most systems don't
have (though they're certainly available). If you don't have one of
those, then the key has to be stored in system memory.

-Doug

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Bruce Momjian 2006-01-20 21:36:56 Re: Page-Level Encryption
Previous Message David Blewett 2006-01-20 21:27:22 Re: Page-Level Encryption