Re: PG and database encryption

On Tue, Aug 22, 2017 at 2:48 PM, rakeshkumar464
<rakeshkumar464(at)outlook(dot)com> wrote:
> We have a requirement to encrypt the entire database. What is the best tool
> to accomplish this. Our primary goal is that it should be transparent to the
> application, with no change in the application, as compared to un-encrypted
> database. Reading about pgcrypto module, it seems it is good for few columns
> only and using it to encrypt entire database is not a good use-case.
>
> Is this which can be done best by file level encryption? What are the good
> tools on Linux (RHES), preferably open-source.
>
> Thanks

In addition to the link that Joshua gave you, there is this:
https://www.enterprisedb.com/blog/postgres-and-transparent-data-encryption-tde

Personally, what I'd do (and actually do at work) is to us LUKS. This
is a "full disk encryption". When the filesystem is mounted, the
system asks for the password. Unfortunately, this method allows all
users who have the proper authority (UNIX & SELinux) to read (maybe
write) the underlying files. Of course, a properly secured environment
would not allow this, but systems can be hacked. And it does not
address any off-filesystem backups, which would need to be separately
encrypted. LUKS is a good method, IMO, to protect the data if the
media is stolen, but not for protecting the individual files from
improper access. SELinux is pretty good at that.

--
If you look around the poker table & don't see an obvious sucker, it's you.

Maranatha! <><
John McKown