On Mon, Jun 18, 2018 at 12:29:57PM -0500, Nico Williams wrote:
> On Mon, Jun 11, 2018 at 06:22:22PM +0900, Masahiko Sawada wrote:
> > As per discussion at PGCon unconference, I think that firstly we need
> > to discuss what threats we want to defend database data against. If
>
> We call that a threat model. There can be many threat models, of
> course.
>
> > user wants to defend against a threat that is malicious user who
> > logged in OS or database steals an important data on datbase this
> > design TDE would not help. Because such user can steal the data by
> > getting a memory dump or by SQL. That is of course differs depending
> > on system requirements or security compliance but what threats do you
> > want to defend database data against? and why?
>
> This design guards (somewhat) againts the threat of the storage theft
> (e.g., because the storage is remote). It's a fine threat model to
> address, but it's also a lot easier to address in the filesystem or
> device drivers -- there's no need to do this in PostgreSQL itself except
> so as to support it on all platforms regardless of OS capabilities.
>
> Note that unless the pg_catalog is protected against manipulation by
> remote storage, then TDE for user tables might be possible to
> compromise. Like so: the attacker manipulates the pg_catalog to
> escalate privelege in order to obtain the TDE keys. This argues for
> full database encryption, not just specific tables or columns. But
> again, this is for the threat model where the storage is the threat.
Yes, one big problem with per-column encryption is that administrators
can silently delete data, though they can't add or modify it.
> Another similar thread model is dump management, where dumps are sent
> off-site where untrusted users might read them, or even edit them in the
> hopes that they will be used for restores and thus compromise the
> database. This is most easily addressed by just encrypting the backups
> externally to PG.
>
> Threat models where client users are the threat are easily handled by
> PG's permissions system.
>
> I think any threat model where DBAs are not the threat is just not that
> interesting to address with crypto within postgres itself...
Yes, but in my analysis the only solution there is client-side
encryption:
http://momjian.us/main/writings/crypto_hw_use.pdf#page=97
You might want to look at the earlier slides too.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +