Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Per"or#ance or #aintaina$ilit!
Database
Storage
Database
Storage
Harddri)e*"iles!ste# encr!ption
Independent of the database Filesystem och block device level Needs to keep fsync behaviour! Keeps all database functionality here to store the key?
Consulting Development IT Operations Training Support Products
Pgcr!pto
Encryption as database functions Client independent !on"t forget to encrypt the connection!
Pgcr!pto + c allenges
Encryption is easy
Pgcr!pto - o)er)iew
(ype) bf*cbc+ aes*cbc+ ,,, -ecb supported+ but,,. /perates on bytea+ returns bytea gen0random0bytes-. can be used to create key
Consulting Development IT Operations Training Support Products
ar#or/0, dear#or/0
%ublic key encryption also supported+ but no key generation ill detect $rong key/corrupt data
7e! #anage#ent
here to store the key 'o$ to protect the key 'o$ to access the key 'o$ to do key recovery
2orry+ can"t really be done by inde1 3atch encrypted data for ra$ encrypted wit out padding
But t is decreases securit! And does 8is e9ual: #atc ing onl!
Inde1 on e1pression
66L
Enabled on the server -ssl5yes. /ptionally re6uired through pg0hba /ptionally re6uired in libp6
Need to protect data in !ot directions For e1ample username/pass$ord 3ust "now before connection is started
66L encr!ption
227 alwa#s re6uires a server certificate Can be self*signed !oes not need to be kno$n by client
Certi"icate c ains
Issuer
oot certificate
Issuer
Intermediate certificate
Issuer
Server certificate
Certi"icate c ains
Self!signed certificate
Issuer
oot certificate
Issuer
Intermediate certificate
Issuer
Server certificate
"lient
Consulting Development IT Operations Training Support Products
Server
"lient
Consulting Development IT Operations Training Support Products
Server
%a)esdropping
%revented by encrypting all data Key negotiation is automatic 2erver certificate used but not verified
Fa)e server
"lient
Consulting Development IT Operations Training Support Products
Server
/n top of encryption 8alidate that the server is $ho it claims to be C4 issues certificate+ can be self* signed C4 certificate kno$n by client
Consulting Development IT Operations Training Support Products
Fa)e server
"lient
Consulting Development IT Operations Training Support Products
Server
/n top of encryption Normally on top of server verificateion+ but not necessary C4 issued certificate on client 3atch C$ on certificate to user id %rotect client certificate!
Consulting Development IT Operations Training Support Products
66L in li$p9
Controlled by sslmode parameter /r environment P%SS&'OD( For security+ must be set on client
Performance overhead
no If necessary If possible yes yes yes
Performance overhead
no If necessary If possible yes yes yes
Performance overhead
no If necessary If possible yes yes yes
Performance overhead
no If necessary If possible yes yes yes
6u##ar!
/nly encrypt $hat you really need /nly encrypted w ere you really need Key management is ard 3any use*cases are very narro$