| From: | "Matt Clark" <matt(at)ymogen(dot)net> |
|---|---|
| To: | "Dave Ewart" <Dave(dot)Ewart(at)cancer(dot)org(dot)uk>, <pgsql-admin(at)postgresql(dot)org> |
| Subject: | Re: Database Encryption (now required by law in Italy) |
| Date: | 2004-03-05 11:17:52 |
| Message-ID: | OAEAKHEHCMLBLIDGAFELIEKOEOAA.matt@ymogen.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
> What's wrong with using a LoopAES filesystem? It protects against
> someone walking off with the server, or at least the hard disk, and
> being able to see the data.
Yes, but only if the password has to entered manually [1] at boot time.
And it gives zero protection against someone who gains root access to the
server.
So you _also_ have to encrypt the sensitive data before giving it to the
DB, using a key that is not stored on the DB server.
Of course that means your app servers have to have _those_ passwords/
keys entered manually at boot time, or else someone who roots them can
read your sensitive data quite trivially.
And to do any better than that you need one of those very snazzy cards
from nCipher or whoever, that allow you to process encrypted data in a
hardware sandbox so even your application doesn't see it, or at least
only allow signed code to manipulate the data.
Matt
[1] There are ways of avoiding having to enter the info manually, but
they're very tricky to implement securely.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Sergio Chaves | 2004-03-05 11:22:29 | Re: Database Encryption (now required by law in Italy) |
| Previous Message | Silvana Di Martino | 2004-03-05 09:54:25 | Database Encryption (now required by law in Italy) |