| From: | Evan Bauer <evanbauer(at)mac(dot)com> |
|---|---|
| To: | Stéphane KANSCHINE <stephane(at)hexack(dot)fr> |
| Cc: | Anjul Tyagi <anjul(at)ibosstech-us(dot)com>, pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: Encryption / Decryption via PGCrypto |
| Date: | 2018-10-25 03:47:11 |
| Message-ID: | 95B4AD74-4749-4018-A2F9-93C550E52E69@mac.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
All depends on how secure you want to be in the event of a hostile network penetration.
If the answer is “very”, consider using a key management solution — either software (I like Hashicorp Vault) or dedicated HSM hardware from someone like Gemalto or Thales.
Having the key on a separate server doesn’t help if the application server is compromised.
Cheers,
Evan
Sent from my iPhone
> On Oct 24, 2018, at 05:00, Stéphane KANSCHINE <stephane(at)hexack(dot)fr> wrote:
>
>
> Hi,
>
> Le mer. 24 oct., vers 08:27, Anjul Tyagi exprimait :
>>
>> We are implementing the pgcrypto in our database to encrypt and decrypt the
>> Column data. for testing purpose we have generate the PGP public / private
>> key and use those when we read and write data.
>>
>> How can we secure the key, if we keep the key outside how can we use that
>> into query.
>
> We keep the private key on the app server. It communicates with postgres
> through SSL and postgres logs aren't too verbose in order to avoid key
> exposition.
>
> If there's a better way, i'm curious of it.
>
> Regards,
> --
> Stéphane KANSCHINE - https://www.hexack.fr./ - https://www.nuajik.io./
> @ stephane(at)hexack(dot)fr
> +33 6 64 31 72 52
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mihalidesová Jana | 2018-10-25 09:31:35 | Using pg_basebackup via pgpool fail |
| Previous Message | Keith Fiske | 2018-10-24 22:33:17 | Re: Is there a work around for partition key needed for constraint |