RE: Application Level Encryption

From: Michel Pelletier <pelletier(dot)michel(at)gmail(dot)com>
Sent: 05 July 2020 17:00
To: Zahir Lalani <ZahirLalani(at)oliver(dot)agency>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Application Level Encryption

Hi Zahir,

pgsodium is a new-ish encyption extension built around the libsodium encryption API.

https://github.com/michelp/pgsodium

It supports calling a script to load a hidden key in memory and use that key to derive other keys. There's an example shown in the documentation. I'm working on support for the Zymkey hardware security module, as well as support for the AWS key management API.

-Michel

Thx all

So what Michael has posted above is actually the target. We are hosted in Google Cloud and have been told that we need to use a key manager outside of PG (Google have KMS) and that it must have a master key which is rotated regularly. We are having a debate about what to encrypt – “it must encrypt our data” – we are multi-tenanted and also we have data that is not client facing in each tenant. I worry about applying app level to all data for sheer performance reasons.

We have suggested we only encrypt what is truly client data so that we do not have to refactor everything.

The other challenge we have is the external reporting tools we use – none of these will work as, and we cannot pass them the unencrypted data.

So I wanted to understand approaches that could be taken and how to minimise performance impacts and how to manage the use of 3rd party tools

Hope that makes sense

Z