On 12/23/2015 8:16 AM, oleg yusim wrote:
>
> To my knowledge, many databases are using what called TDE to encrypt
> data at rest and protect data from being accessed by attacker on host
> this way. Here is the reference to quick guide on it:
> https://www.simple-talk.com/sql/database-administration/transparent-data-encryption/
that article is talking about a specific feature of Microsoft SQL Server
Enterprise Edition, which upon a quick skim sounds to me to be smoke and
mirrors 'security-by-checklist' protection. If the encryption keys are
stored on the system, then anyone with access to the raw data can
decrypt it, no matter how much smoke and mirrors you wave around to
obfuscate this fact.
In PostgreSQL 'shared memory' has a quite specific meaning, its
referring to the pool of buffer memory (ram) shared by all postgres
server processes. this is primarily used as the buffer cache. In a
properly secured operating system, ONLY the postgres server processes
have access to this shared memory segment, but the details of OS level
memory management are outide postgres's scope, since its portable and
designed to be able to run on most any OS that provides basic memory
management, multiple processes, and a reliable/robust file system, with
tcp/ip socket support.
--
john r pierce, recycling bits in santa cruz