Обсуждение: Encryption / Decryption via PGCrypto

Hi,

Le mer. 24 oct., vers 08:27, Anjul Tyagi exprimait :
> 
> We are implementing the pgcrypto in our database to encrypt and decrypt the
> Column data. for testing purpose we have generate the PGP public / private
> key and use those when we read and write data.
> 
> How can we secure the key, if we keep the key outside how can we use that
> into query.

We keep the private key on the app server. It communicates with postgres
through SSL and postgres logs aren't too verbose in order to avoid key
exposition.

If there's a better way, i'm curious of it.

Regards,
-- 
Stéphane KANSCHINE - https://www.hexack.fr./ - https://www.nuajik.io./
＠ stephane@hexack.fr
  +33 6 64 31 72 52

All depends on how secure you want to be in the event of a hostile network penetration.

If the answer is “very”, consider using a key management solution — either software (I like Hashicorp Vault) or
dedicatedHSM hardware from someone like Gemalto or Thales. 

Having the key on a separate server doesn’t help if the application server is compromised.

Cheers,

Evan

Sent from my iPhone

> On Oct 24, 2018, at 05:00, Stéphane KANSCHINE <stephane@hexack.fr> wrote:
>
>
> Hi,
>
> Le mer. 24 oct., vers 08:27, Anjul Tyagi exprimait :
>>
>> We are implementing the pgcrypto in our database to encrypt and decrypt the
>> Column data. for testing purpose we have generate the PGP public / private
>> key and use those when we read and write data.
>>
>> How can we secure the key, if we keep the key outside how can we use that
>> into query.
>
> We keep the private key on the app server. It communicates with postgres
> through SSL and postgres logs aren't too verbose in order to avoid key
> exposition.
>
> If there's a better way, i'm curious of it.
>
> Regards,
> --
> Stéphane KANSCHINE - https://www.hexack.fr./ - https://www.nuajik.io./
> ＠ stephane@hexack.fr
>   +33 6 64 31 72 52
>