PGCrypto: Realworld scenario and advice needed

From: "Moran(dot)Michael" <Michael(dot)Moran(at)IGT(dot)com>
To: PostgreSQL <pgsql-sql(at)postgresql(dot)org>
Subject: PGCrypto: Realworld scenario and advice needed
Date: 2005-04-11 21:18:03
Message-ID: B27C8914860EE24E865D189A3735EA53100974@lasexch03.is.ad.igt.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-sql

Hello all,

I'm looking for advice on real-world PGCrypto usage.

I understand how to programmatically encrypt/decrypt data with PGCrypto --
no problem.

My question is:

What is the best way to update massive amounts of *existing* encrypted data
with a new encryption passphrase, assuming you know the old passphrase?

For example:
Let's say that periodically there must be a one-time change of the
encryption passphrase and ALL existing encrypted data has to be encrypted
with the new passphrase.


My initial attack plan was to do the following:

1. Call decrypt() with the old-passphrase to decrypt each table's existing
data.
2. Temporarily store the decrypted data in temp tables.
3. Delete all rows of encrypted data from the original tables -- thereby
clearing the tables of all data encrypted with the old passphrase.
4. Call encrypt() with the new passphrase to encrypt all data in the temp
tables -- thereby repopulating the production tables with data encrypted
with the new passphrase.
5. Blow away the temp tables.

But this seems like a tedious procedure.

Is there any simple way to update ALL existing encrypted data with a new
passphrase, assuming you know the old passphrase and encryption type (i.e.
AES, Blowfish, etc.) without having to go through the 5-step process
mentioned above?

Thank you and best regards,

Michael Moran

Responses

Browse pgsql-sql by date

  From Date Subject
Next Message Andrus Moor 2005-04-11 21:43:10 Query runs very slowly in Postgres, but very fast in other DBMS
Previous Message Dan Feiveson 2005-04-11 20:38:13 OpenFTS