Skip site navigation (1) Skip section navigation (2)

Re: Database Encryption (now required by law in Italy)

From: Silvana Di Martino <silvanadimartino(at)tin(dot)it>
To: Mitch Pirtle <mitchy(at)spacemonkeylabs(dot)com>,Matt Davies <matt(at)mattdavies(dot)net>
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: Database Encryption (now required by law in Italy)
Date: 2004-03-05 20:12:37
Message-ID: 200403052012.37564.silvanadimartino@tin.it (view raw or flat)
Thread:
Lists: pgsql-admin
Alle 15:00, venerdì 5 marzo 2004, Mitch Pirtle ha scritto:
> My question is much more basic than that:  Why encrypt anything beyond
> passwords?  If you secure the accounts on the machine, and encrypt all
> network traffic to the machine (ssh, scp, ssl) then what additional
> security can you add?

The following:
- protect your data from the "prying eyes" of your SysAdmins (our law imposes 
this kind of protection)
- protect your data in case of hardware theft

> I have servers in remote facilities all over the world.  It is just not
> possible for me to fly to each datacenter to be there at boot time when
> I upgrade the kernel. I'd love the travel, but it is not feasible.

Technically speaking, this is not required: 
- we could have a boot system that requires the password on the net to a 
"password server" or a human. A few network-based booting systems for 
diskless workstations do something like that already. We just need a 
network-based password system similar to Kerberos or DHCP. It does not exists 
yet, and it will be hard to implement, but it can be created.

> Second, hard-disk encryption will only come into play if someone stole
> the hardware, right?  And even then, as long as the thing boots, then
> they would have access!  That is, unless we went back to the
> human-required-at-boot scenario.

See above. The laptop must ask for a password on the net. You just lock the 
password of any stolen/missing PC on your password server.

> As a former CSO for an 18000-person company, I'm a horribly paranoid
> person when it comes to security; but security that is easily bypassed
> (or dificult-to-impossible to enforce) is just added effort, isn't it?

That's why I did not vote Berlusconi: he is prone to enforce this kind of 
"security"... ;-)

> Here is an idea to beat up on:  how about having the end user of the
> application supply the key that is used to decrypt their data, and only
> their data?  Take your basic, garden variety PHP website, for example.
>
> When the user is given an account, they are also given a password.  This
> password is also used as the key for the (blowfish, via mcrypt maybe?)
> encryption of the data that gets stored for that person.  If you do not
> have that key, then you cannot decrypt their data.  To boot, their key
> is useless for everyone else's data as they used their own...

This is not a solution: "delegated operators" must be able to access the data 
without bothering the data "owner" (that is: the person described by the 
data). They cannot (and must not) ask the owner to grant them access to the 
data every time they need to use them.

> Excellent discussion, maybe we could all come up with a sort of best
> practices for PostgreSQL and security :)

I do hope so: this problem is going to affect a lot of SysAdmins EU-wide and 
deserves a standard solution.

See you

BTW: if you have a USA-based company and collect info regarding Italian 
people, you have to comply with this absurd Italian law. Funny, isn't it?

-----------------------------------------
Alessandro Bottoni and Silvana Di Martino
alessandrobottoni(at)interfree(dot)it
silvanadimartino(at)tin(dot)it

In response to

Responses

pgsql-admin by date

Next:From: Stephan SzaboDate: 2004-03-05 20:14:27
Subject: Re: Database Encryption (now required by law in Italy)
Previous:From: Silvana Di MartinoDate: 2004-03-05 19:45:33
Subject: Re: Database Encryption (now required by law in Italy)

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group