From: | Timothy Madden <terminatorul(at)gmail(dot)com> |
---|---|
To: | Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov> |
Cc: | Scott Marlowe <scott(dot)marlowe(at)gmail(dot)com>, Joe Conway <mail(at)joeconway(dot)com>, pgsql-admin(at)postgresql(dot)org |
Subject: | Re: Database level encryption |
Date: | 2010-04-07 10:45:11 |
Message-ID: | j2n5078d8af1004070345k3e08ca69l261d4dbb006b610e@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
On Wed, Apr 7, 2010 at 1:07 AM, Kevin Grittner
<Kevin(dot)Grittner(at)wicourts(dot)gov> wrote:
> Timothy Madden <terminatorul(at)gmail(dot)com> wrote:
>
[...]
> But the server needs to read certain data from the database
> directory in order to start. In particular, WAL files need to be
> read to get a clean start, and those can contain any data from the
> database table. Any or all tables may need to be accessed to get
> the database to a consistent point on startup. Plus there are all
> the system catalogs, including the ones needed to authenticate
> users.
OK let's put the key logger issue aside from database encryption.
I am willing to accept that the server may need to read the list of
tables/schema-objects in the database, and some leftover data, in
order to start, as long as the leftover data is immediately discarded
upon start-up, and as long as it is likely that this data is not a
large fraction of the data found in the database. It would still be
nice if this check or clean-up could be delayed until such time some
user really selects the database for use, and provides a password.
I would expect the database (or catalog, I guess, is it ?) to be
visible, but any attempt to connect without the password would fail as
if user has no rights on the database or the password is wrong. What I
perceive as a problem here might be that an encrypted database would
automatically need the privileges to be set up so that only the owner
can read or connect to it. That is its privileges would have to
indicate that even the postgres user can not read it. Except maybe for
the names of tables and schema objects, if the server insists that it
needs those for a clean start up, and so those shall remain clear
text.
User authentication should be unrelated to encrypting the database
owned by that user. You can think of it as if only the owner can ever
connect to such a database, and his/her password is the encryption
key, or as if any user that wishes to connect should provide the
encryption key first, and then the user name and password.
Thank you,
Timothy Madden
From | Date | Subject | |
---|---|---|---|
Next Message | Tim Landscheidt | 2010-04-07 12:05:13 | Re: Database level encryption |
Previous Message | Timothy Madden | 2010-04-07 10:24:19 | Re: Database level encryption |