| From: | Ron <ronljohnsonjr(at)gmail(dot)com> |
|---|---|
| To: | pgsql-admin(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Encryption in pg_dump |
| Date: | 2020-07-23 07:17:54 |
| Message-ID: | a91e4430-6e74-2980-b914-7a045d3636ad@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
On 7/23/20 1:58 AM, Olivier Gautherot wrote:
> Hi all,
>
> Le jeu. 23 juil. 2020 à 07:34, Tim Cross <theophilusx(at)gmail(dot)com
> <mailto:theophilusx(at)gmail(dot)com>> a écrit :
>
>
> Paul Förster <paul(dot)foerster(at)gmail(dot)com
> <mailto:paul(dot)foerster(at)gmail(dot)com>> writes:
>
> > Hi Bruce,
> >
> >> On 22. Jul, 2020, at 20:55, Bruce Momjian <bruce(at)momjian(dot)us
> <mailto:bruce(at)momjian(dot)us>> wrote:
> >>
> >> Does anyone know why we are getting so many requests for encrypting
> >> dumps all of a sudden?
> >
> > probably because a) people don't read past posts and b) more and
> more IT heads decide that *everything*, be it internal to the company
> or not, has to be encrypted.
> >
>
> Yes, I think the IT heads issue is the primary driver - combined with
> very poor understanding of information security at senior levels and a
> huge growth of poor quality and 'snake oil salesmen' in the IT
> security space
> due to the amount of money ill informed senior managers are throwing at
> what they think is a technical problem which usually is in fact a
> business process problem.
>
>
> The root cause is probably that, if you can't separate sensitive
> information, you must encrypt everything - hence the dump. It may be a
> sign of bad design to start with, with data at rest not protected in the
> first place. It may also be a sign of "encrypt everything to be safe" as a
> false perception of security, increasing the attack surface instead of
> reducing it. And we could carry on with this list.
>
> Put it on the account of GDPR, as compliance is not an easy job.
>
When Oracle, SQL Server and MySQL Enterprise all have Transparent Data
Encryption, the expectation is that all databases should have TDE.
Auditors and IT upper management don't really understand the limitations of
TDE, but that does not matter. The magic word *Encryption* is in there, and
that means they like it
Adding hooks into libgpgme from pg_dump and pg_restore (needed for
--format=directory) would be *Very Helpful*.
--
Angular momentum makes the world go 'round.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Paul Förster | 2020-07-23 07:23:37 | Re: Encryption in pg_dump |
| Previous Message | Dischner, Anton | 2020-07-23 07:04:54 | AW: Encryption in pg_dump |