Обсуждение: PG Database Encryption
Hello PG Admins , Team :)
We have enabled SSL Based replication & connection from Application to PostgreSql DB using SSL via pgbouncer.
My Question is in regard to implementing DataBase Encryption.
Background : We are using PostgreSql DB for Atlassian Bitbucket Application.
We want to implement encryption for databases at system level ( it can be at rest (archive) or while retrieving (accessing it)).
Seeking guidance in this regard on How to enable DataBase Encryption of Postgresql DB. Can anyone guide me in this regard or share a few pointers pages on "How to enable it" or any 3rd party tools that can do ths.
Thanks & Regards,
Ravi
On Thu, May 25, 2023 at 01:51:53PM +0530, Ravi GH wrote: > Seeking guidance in this regard on How to enable DataBase Encryption of > Postgresql DB. Can anyone guide me in this regard or share a few pointers > pages on "How to enable it" or any 3rd party tools that can do ths. Pg doesn't have anything like this now. What you can do, is: 1. Check https://wiki.postgresql.org/wiki/Transparent_Data_Encryption 2. Encrypt the filesystem/disk that the PG is on, using whatever tool your operating system provides. Best regards, depesz
On 5/25/23 03:21, Ravi GH wrote: > Hello PG Admins , Team :) > > We have enabled SSL Based replication & connection from Application to > PostgreSql DB using SSL via pgbouncer. > > My Question is in regard to implementing DataBase Encryption. > > Background : We are using PostgreSql DB for Atlassian Bitbucket Application. > We want to implement encryption for databases at > system level ( it can be at rest (archive) PgBackRest can encrypt it's backups using AES-256. > or while retrieving (accessing it)). > > Seeking guidance in this regard on How to enable DataBase Encryption of > Postgresql DB. Can anyone guide me in this regard or share a few pointers > pages on "How to enable it" or any 3rd party tools that can do ths. > > Thanks & Regards, > Ravi -- Born in Arizona, moved to Babylonia.
Hi,
I am new to this list, please forgive me if I am submitting the following to the wrong place.
We've just installed pgAdmin4 web on RHEL7.9.
Once we started the httpd service, we couldn't login the system, the webpage spins forever.
The error message is attached below.
The RHEL 7.9 we use has FIPS enabled, e.g. cat /proc/sys/crypto/fips_enabled has a value of 1.
It seems the version of pgAdmin4, 6.21, still uses MD5, which is not allowed by FIPS.
I'd highly appreciate if anyone could let us know:
1. Is there a version of pgAdmin4 on RHEL 7.9 that supports FIPS?
2. Is there any plan down the road that pgAdmin4 would support FIPS on RHEL 7.9?
3. Is there any way to get around the issue?
Many thanks in advance,
==============Error msg in pgadmin log file =========================
2023-05-16 03:04:13,593: ERROR pgadmin: [digital envelope routines: EVP_DigestInit_ex] disabled for fips
Traceback (most recent call last):
File "/usr/pgadmin4/venv/lib64/python3.6/site-packages/flask/app.py", line 1516, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/pgadmin4/venv/lib64/python3.6/site-packages/flask/app.py", line 1502, in dispatch_request
Connection to 10.138.182.10 closed by remote host.le.endpoint])(**req.view_args)
Connection to 10.138.182.10 closed.thon3.6/site-packages/flask_login/utils.py", line 272, in decorated_view
[daxu@ip-192-168-40-129 ~]$ rgs)
File "/usr/pgadmin4/web/pgadmin/browser/__init__.py", line 634, in utils
current_ui_lock=current_ui_lock
File "/usr/pgadmin4/venv/lib64/python3.6/site-packages/flask/templating.py", line 150, in render_template
ctx.app,
File "/usr/pgadmin4/venv/lib64/python3.6/site-packages/flask/templating.py", line 128, in _render
rv = template.render(context)
File "/usr/pgadmin4/venv/lib64/python3.6/site-packages/jinja2/environment.py", line 1291, in render
self.environment.handle_exception()
File "/usr/pgadmin4/venv/lib64/python3.6/site-packages/jinja2/environment.py", line 925, in handle_exception
raise rewrite_traceback_stack(source=source)
File "/usr/pgadmin4/web/pgadmin/browser/templates/browser/js/utils.js", line 119, in top-level template code
gravatar: {% if config.SHOW_GRAVATAR_IMAGE %}'{{ username | gravatar }}'{% else %}''{% endif %},
File "/usr/pgadmin4/venv/lib64/python3.6/site-packages/flask_gravatar/__init__.py", line 151, in __call__
hash = hashlib.md5(email.encode('utf-8')).hexdigest()
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for fips
Daxu Yin
410-340-5842
410-340-5842
On Thursday, May 25, 2023 at 09:03:19 AM EDT, Ron <ronljohnsonjr@gmail.com> wrote:
On 5/25/23 03:21, Ravi GH wrote:
> Hello PG Admins , Team :)
>
> We have enabled SSL Based replication & connection from Application to
> PostgreSql DB using SSL via pgbouncer.
>
> My Question is in regard to implementing DataBase Encryption.
>
> Background : We are using PostgreSql DB for Atlassian Bitbucket Application.
> We want to implement encryption for databases at
> system level ( it can be at rest (archive)
PgBackRest can encrypt it's backups using AES-256.
> or while retrieving (accessing it)).
>
> Seeking guidance in this regard on How to enable DataBase Encryption of
> Postgresql DB. Can anyone guide me in this regard or share a few pointers
> pages on "How to enable it" or any 3rd party tools that can do ths.
>
> Thanks & Regards,
> Ravi
--
Born in Arizona, moved to Babylonia.
> Hello PG Admins , Team :)
>
> We have enabled SSL Based replication & connection from Application to
> PostgreSql DB using SSL via pgbouncer.
>
> My Question is in regard to implementing DataBase Encryption.
>
> Background : We are using PostgreSql DB for Atlassian Bitbucket Application.
> We want to implement encryption for databases at
> system level ( it can be at rest (archive)
PgBackRest can encrypt it's backups using AES-256.
> or while retrieving (accessing it)).
>
> Seeking guidance in this regard on How to enable DataBase Encryption of
> Postgresql DB. Can anyone guide me in this regard or share a few pointers
> pages on "How to enable it" or any 3rd party tools that can do ths.
>
> Thanks & Regards,
> Ravi
--
Born in Arizona, moved to Babylonia.
On Thu, May 25, 2023, 10:11 Daxu Yin <daxuyin@yahoo.com> wrote:
Hi,I am new to this list, please forgive me if I am submitting the following to the wrong place.We've just installed pgAdmin4 web on RHEL7.9.Once we started the httpd service, we couldn't login the system, the webpage spins forever.The error message is attached below.The RHEL 7.9 we use has FIPS enabled, e.g. cat /proc/sys/crypto/fips_enabled has a value of 1.It seems the version of pgAdmin4, 6.21, still uses MD5, which is not allowed by FIPS.I'd highly appreciate if anyone could let us know:1. Is there a version of pgAdmin4 on RHEL 7.9 that supports FIPS?2. Is there any plan down the road that pgAdmin4 would support FIPS on RHEL 7.9?3. Is there any way to get around the issue?Many thanks in advance,==============Error msg in pgadmin log file =========================2023-05-16 03:04:13,593: ERROR pgadmin: [digital envelope routines: EVP_DigestInit_ex] disabled for fipsTraceback (most recent call last):File "/usr/pgadmin4/venv/lib64/python3.6/site-packages/flask/app.py", line 1516, in full_dispatch_requestrv = self.dispatch_request()File "/usr/pgadmin4/venv/lib64/python3.6/site-packages/flask/app.py", line 1502, in dispatch_requestConnection to 10.138.182.10 closed by remote host.le.endpoint])(**req.view_args)Connection to 10.138.182.10 closed.thon3.6/site-packages/flask_login/utils.py", line 272, in decorated_view[daxu@ip-192-168-40-129 ~]$ rgs)File "/usr/pgadmin4/web/pgadmin/browser/__init__.py", line 634, in utilscurrent_ui_lock=current_ui_lockFile "/usr/pgadmin4/venv/lib64/python3.6/site-packages/flask/templating.py", line 150, in render_templateFile "/usr/pgadmin4/venv/lib64/python3.6/site-packages/flask/templating.py", line 128, in _renderrv = template.render(context)File "/usr/pgadmin4/venv/lib64/python3.6/site-packages/jinja2/environment.py", line 1291, in renderself.environment.handle_exception()File "/usr/pgadmin4/venv/lib64/python3.6/site-packages/jinja2/environment.py", line 925, in handle_exceptionraise rewrite_traceback_stack(source=source)File "/usr/pgadmin4/web/pgadmin/browser/templates/browser/js/utils.js", line 119, in top-level template codegravatar: {% if config.SHOW_GRAVATAR_IMAGE %}'{{ username | gravatar }}'{% else %}''{% endif %},File "/usr/pgadmin4/venv/lib64/python3.6/site-packages/flask_gravatar/__init__.py", line 151, in __call__hash = hashlib.md5(email.encode('utf-8')).hexdigest()ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for fipsDaxu Yin
410-340-5842
Wrong email list. I think this is what you want for pgAdmin pgadmin-support@lists.postgresql.org or https://www.postgresql.org/list/pgadmin-support/
Best regards,
Dan Smith
Thanks depesz , Ron, Marco & others,
I tried the suggested option of TDE , to enable Cluster Level Encryption. I had followed the "Installation from Source Code" method with --with-ssl=openssl parameter to ./configure during build.
1. Please confirm the enabling encryption is possible only by install from source with --with-ssl parameter?
2. I could enable encryption using PG 12 with patched version provided at here , do we need to purchase the product or is it possible with Postgres source shared at https://www.postgresql.org/ftp/source/v14.7/
We are using Ubuntu 22 and we will prefer to go with TDE cluster level encryption, please advise can we try to implement it by install from source ( with shared source at https://www.postgresql.org/ftp/source/v14.7 ) or need to purchasing TDE patched version is mandatory to enable cluster level encryption?
Thanks a lot,
Ravi
On Thu, May 25, 2023 at 3:52 PM hubert depesz lubaczewski <depesz@depesz.com> wrote:
On Thu, May 25, 2023 at 01:51:53PM +0530, Ravi GH wrote:
> Seeking guidance in this regard on How to enable DataBase Encryption of
> Postgresql DB. Can anyone guide me in this regard or share a few pointers
> pages on "How to enable it" or any 3rd party tools that can do ths.
Pg doesn't have anything like this now.
What you can do, is:
1. Check https://wiki.postgresql.org/wiki/Transparent_Data_Encryption
2. Encrypt the filesystem/disk that the PG is on, using whatever tool
your operating system provides.
Best regards,
depesz
"Give me the place to stand, and I shall move the earth" — Archimedes
On Mon, 2023-05-29 at 17:28 +0530, Ravi GH wrote: > I tried the suggested option of TDE , to enable Cluster Level Encryption. I had followed the > "Installation from Source Code" method with --with-ssl=openssl parameter to ./configure during build. > > 1. Please confirm the enabling encryption is possible only by install from source with --with-ssl parameter? Sounds right. > 2. I could enable encryption using PG 12 with patched version provided at here , do we need to purchase > the product or is it possible with Postgres source shared at https://www.postgresql.org/ftp/source/v14.7/ It is free open source. You can get the patched version for different releases here: https://github.com/cybertec-postgresql/postgres/tags > We are using Ubuntu 22 and we will prefer to go with TDE cluster level encryption, please advise can we try > to implement it by install from source ( with shared source at https://www.postgresql.org/ftp/source/v14.7 ) > or need to purchasing TDE patched version is mandatory to enable cluster level encryption? That should be here: https://github.com/cybertec-postgresql/postgres/releases/tag/PG_14_7_TDE_1_1_3 Yours, Laurenz Albe
Thanks Laurenz, Team.
FYI, I am trying to contact the Cybertec team :) , i have following queries
FYI, I am trying to contact the Cybertec team :) , i have following queries
Queries:
The native Postgres does not mention about "Cluster-level encryption" at page https://www.postgresql.org/docs/14/encryption-options.html
Does this mean DB Cluster encryption is not yet fully supported by Native Postgres release? ( and if we need this feature then better to rely on Ubuntu deb packages from cybertec or download patch versions?
Request to share your known info in this regard which will help us to great extent.
Thank You,
Ravi
On Thu, Jun 1, 2023 at 12:16 AM Laurenz Albe <laurenz.albe@cybertec.at> wrote:
On Mon, 2023-05-29 at 17:28 +0530, Ravi GH wrote:
> I tried the suggested option of TDE , to enable Cluster Level Encryption. I had followed the
> "Installation from Source Code" method with --with-ssl=openssl parameter to ./configure during build.
>
> 1. Please confirm the enabling encryption is possible only by install from source with --with-ssl parameter?
Sounds right.
> 2. I could enable encryption using PG 12 with patched version provided at here , do we need to purchase
> the product or is it possible with Postgres source shared at https://www.postgresql.org/ftp/source/v14.7/
It is free open source.
You can get the patched version for different releases here:
https://github.com/cybertec-postgresql/postgres/tags
> We are using Ubuntu 22 and we will prefer to go with TDE cluster level encryption, please advise can we try
> to implement it by install from source ( with shared source at https://www.postgresql.org/ftp/source/v14.7 )
> or need to purchasing TDE patched version is mandatory to enable cluster level encryption?
That should be here: https://github.com/cybertec-postgresql/postgres/releases/tag/PG_14_7_TDE_1_1_3
Yours,
Laurenz Albe
"Give me the place to stand, and I shall move the earth" — Archimedes
On Mon, 2023-06-05 at 11:37 +0530, Ravi GH wrote: > Does this mean DB Cluster encryption is not yet fully supported by Native Postgres release? Correct. You need a modified version of the PostgreSQL server. Yours, Laurenz Albe