Обсуждение: database encryption
Hello, I'd like to know which solutions exist encrypt postgresql database ? Did you already use an encryption method ? I saw on the web that there is a contrib (pgcypto) but I can't estimate its efficiency Olivier
Вложения
On Wed, Feb 07, 2007 at 11:23:03AM +0100, Olivier Boissard wrote:
> I saw on the web that there is a contrib (pgcypto) but I can't estimate
> its efficiency
Well, it works for some people. What are you trying to accomplish
with "database encryption"?
A
--
Andrew Sullivan | ajs@crankycanuck.ca
The whole tendency of modern prose is away from concreteness.
--George Orwell
Andrew Sullivan a écrit : > On Wed, Feb 07, 2007 at 11:23:03AM +0100, Olivier Boissard wrote: > >> I saw on the web that there is a contrib (pgcypto) but I can't estimate >> its efficiency >> > > Well, it works for some people. What are you trying to accomplish > with "database encryption"? > > A > > I would like to insert sensitive data into postgresql tables. These informations must be well-protected as they are confidential but they must be "decrypted" by php programs too. (These PHP programs will be encrypted by php encryptions program.) I was thinking about a system in which only the php programs will be able to manage stored informations. In case of theft or unexpected access to servers nobody could be able to retrieve the stored data without the authorized key. Olivier
Вложения
On Thu, Feb 08, 2007 at 09:13:48AM +0100, Olivier Boissard wrote: > I was thinking about a system in which only the php programs will be > able to manage stored informations. In case of theft or unexpected > access to servers nobody could be able to retrieve the stored data > without the authorized key. What about theft or compromise of the server running the PHP code? In general it's a good idea to encrypt and decrypt as close to where the cleartext is needed to limit exposure, but you should also consider the vulnerability of the system that holds the key. For some applications it might make sense to use public-key encryption with the exposed (e.g., Internet-facing) server having only the public (encryption) key and a more protected backend server having the corresponding private (decryption) key. Without knowing the requirements and the threat model it's impossible to suggest a suitable solution. Can you be more specific about what you're trying to do? -- Michael Fuhr
Michael Fuhr wrote:
> On Thu, Feb 08, 2007 at 09:13:48AM +0100, Olivier Boissard wrote:
> > I was thinking about a system in which only the php programs will be
> > able to manage stored informations. In case of theft or unexpected
> > access to servers nobody could be able to retrieve the stored data
> > without the authorized key.
>
> What about theft or compromise of the server running the PHP code?
> In general it's a good idea to encrypt and decrypt as close to where
> the cleartext is needed to limit exposure, but you should also
> consider the vulnerability of the system that holds the key. For
> some applications it might make sense to use public-key encryption
> with the exposed (e.g., Internet-facing) server having only the
> public (encryption) key and a more protected backend server having
> the corresponding private (decryption) key.
>
> Without knowing the requirements and the threat model it's impossible
> to suggest a suitable solution. Can you be more specific about what
> you're trying to do?
We do have an encryption section in our documentation:
http://www.postgresql.org/docs/8.2/static/encryption-options.html
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://www.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
Bruce Momjian a écrit : > Michael Fuhr wrote: > >> On Thu, Feb 08, 2007 at 09:13:48AM +0100, Olivier Boissard wrote: >> >>> I was thinking about a system in which only the php programs will be >>> able to manage stored informations. In case of theft or unexpected >>> access to servers nobody could be able to retrieve the stored data >>> without the authorized key. >>> >> What about theft or compromise of the server running the PHP code? >> In general it's a good idea to encrypt and decrypt as close to where >> the cleartext is needed to limit exposure, but you should also >> consider the vulnerability of the system that holds the key. For >> some applications it might make sense to use public-key encryption >> with the exposed (e.g., Internet-facing) server having only the >> public (encryption) key and a more protected backend server having >> the corresponding private (decryption) key. >> >> Without knowing the requirements and the threat model it's impossible >> to suggest a suitable solution. Can you be more specific about what >> you're trying to do? >> > > We do have an encryption section in our documentation: > > http://www.postgresql.org/docs/8.2/static/encryption-options.html > > > Thanks for responses. I expose the context of my question : I need to install a server for a specific web application written in PHP. This one works by making queries to a postgresql database. The database contains confidential data. For several reasons the server will be installed inside the Local network of our client. I will not be able to supervise and control it. As it's a fussy situation I am thinking about encryption. I was thinking about PHP encryption solution (Zend or Ioncube) for the web application protection. But sensitive data must be protected too. Pgcrypto seemed to be the encryption solution but I am not sure it's a good idea because all keys will be located on server ( if I have well understood) and the documention explain that the data will appear on "clear text" for a short period. Olivier
Вложения
On Fri, Feb 09, 2007 at 09:03:20 +0100, Olivier Boissard <olivier.boissard@cerene.fr> wrote: > Thanks for responses. > I expose the context of my question : > > I need to install a server for a specific web application written in PHP. > This one works by making queries to a postgresql database. The database > contains confidential data. Who are you trying to keep this data from? Does this include the client? Who needs to see the decrypted data? Does the database need to in order to efficiently do queries? Does the webserver/php server need to or does it produce output that the end user can download and decrypt on their end? > For several reasons the server will be installed inside the Local > network of our client. I will not be able to supervise and control it. Again, is your client being treated as an opponent? Are you worried about other threats such as stolen servers or back up tapes? > As it's a fussy situation I am thinking about encryption. > I was thinking about PHP encryption solution (Zend or Ioncube) for the > web application protection. > But sensitive data must be protected too. Again, from who? > Pgcrypto seemed to be the encryption solution but I am not sure it's a > good idea because all keys will be located on server ( if I have well > understood) and the documention explain that the data will appear on > "clear text" for a short period. Whether or not that is a problem depends on what kind of attacks you are trying to protect against. If you are trying to protect against the case where the db server gets owned, having the keys on the server will make them available to the attacker.