From: | Paul Förster <paul(dot)foerster(at)gmail(dot)com> |
---|---|
To: | Tim Cross <theophilusx(at)gmail(dot)com> |
Cc: | pgsql-admin(at)lists(dot)postgresql(dot)org |
Subject: | Re: Encryption in pg_dump |
Date: | 2020-07-23 05:48:19 |
Message-ID: | C579395F-2357-4C44-950E-352D5B00F601@gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
Hi Tim,
> On 23. Jul, 2020, at 07:34, Tim Cross <theophilusx(at)gmail(dot)com> wrote:
>
> Yes, I think the IT heads issue is the primary driver - combined with
> very poor understanding of information security at senior levels and a
> huge growth of poor quality and 'snake oil salesmen' in the IT security space
> due to the amount of money ill informed senior managers are throwing at
> what they think is a technical problem which usually is in fact a
> business process problem.
and the best solution to that nonsense comes from the big red O. They use PKCS#12 wallets. Good, but as soon as you need auto-open wallets, which you do for every automated job like backups, you put the key right next to it. So it's like having a big safe in your house but the combination of the lock is written all over it. So much for security by obscurity.
For PostgreSQL we use a umask of 077 in our profile. That's why I keep telling my IT head that this is enough and it does not make sense to put the key next to the safe.
Cheers,
Paul
From | Date | Subject | |
---|---|---|---|
Next Message | Dischner, Anton | 2020-07-23 06:32:32 | AW: Encryption in pg_dump |
Previous Message | Tim Cross | 2020-07-23 05:34:44 | Re: Encryption in pg_dump |