Re: Encryption in pg_dump

Hi Paul,

There is a way to implement full homomorphic encryption (FHE) with
Postgres. The decision which attributes to encrypt must be done at database
planning step. It worth mentioning that FHE is good to implement, if one
wants to be able to do server side supported mathematical operations on the
encrypted data. If the data just needs to be stored in an encrypted form
then using FHE might be a storage overkill. A dump of the database with FHE
encrypted attributes preserves the encryption of the encrypted attributes.

I've used a relatively old version (2.3.1) of Microsoft's SEAL library in
my University project for that. At the time of doing that there were some
"issues" that I had to address:

1. The encrypted attributes were big in size and Postgres cannot store the
FHE cypher texts data type. 20,858 encrypted values used 3,6GB. ~33% of
that size is because of base64 and the rest of the size ist because of my
chosen encryption parameters.

2. Handling queries related to FHE encrypted attributes on the server side
requires an implementation of own C language functions.

The were some other FHE schema (BFV) limitation that were addressed in
newer versions of SEAL, by introducing a more suitable (for my needs) FHE
schema (CKKS).

It's not always a good Idea to say that something cannot be done or that
some one needs to be replaced. Sometimes it's worth to develop some new
process, based on a mixture of available technologies out there.

Best regards,
Tal

Paul Förster <paul(dot)foerster(at)gmail(dot)com> schrieb am Do., 23. Juli 2020, 09:23:

> Hi Ron,
>
> > On 23. Jul, 2020, at 09:17, Ron <ronljohnsonjr(at)gmail(dot)com> wrote:
> > Adding hooks into libgpgme from pg_dump and pg_restore (needed for
> --format=directory) would be Very Helpful.
>
> I guess, replacing stupid IT heads with competent ones makes more sense.
>
> Cheers,
> Paul
>
>
>
>