Skip site navigation (1) Skip section navigation (2)

Article on DB encryption

From: Silvana Di Martino <silvanadimartino(at)tin(dot)it>
To: pgsql-admin(at)postgresql(dot)org
Subject: Article on DB encryption
Date: 2004-03-08 12:07:52
Message-ID: 200403081020.21312.silvanadimartino@tin.it (view raw or flat)
Thread:
Lists: pgsql-admin
For the (very few?) people interested in this topic:

"Time is Right for Database Encryption"
 Dec 9, 2003 | By Don MacVittie
Published on NetworkComputing
(www.nwc.com)

http://www.nwc.com/shared/article/printFullArticle.jhtml;jsessionid=REGYCTEZ5MNJQQSNDBGCKHY?articleID=16401578 

This paragraph, in particular, deals with a most-argued topic:

"This is why client applications should decrypt the data after they receive it 
from the database. That's the most secure place to handle encryption and 
decryption. But changing all your client applications usually isn't 
realistic. If you find that modifying your apps is not an option, look for a 
solution that allows for decryption on the database and protection of your 
data while on the network. Using SSL to communicate with your database will 
protect your data while it traverses the LAN. It's simple to implement, 
especially since you probably already use it for transmitting sensitive 
information over the Internet."

And this one shows a feasible solution for PostgreSQL (using pgcrypto):

"Oracle has one of the best solutions for in-database encryption-decryption 
keys. It stores the keys, encrypted, in a table. For users with access 
rights, it decrypts the keys, which in turn decrypt the desired data. The 
downside, of course, is that you have unencrypted data on the network, but 
the benefit is making access to encrypted data secure. Not even the database 
administrator can see the unencrypted data--even the keys to get at the data 
are encrypted. This solution can be implemented in any of the major 
databases, and Oracle provides a secure key generator as well as other tools 
to get you started."

Have a nice reading.

-----------------------------------------
Alessandro Bottoni and Silvana Di Martino
alessandrobottoni(at)interfree(dot)it
silvanadimartino(at)tin(dot)it

Responses

pgsql-admin by date

Next:From: Silvana Di MartinoDate: 2004-03-08 12:26:10
Subject: Re: Database Encryption (now required by law in Italy)
Previous:From: Silvana Di MartinoDate: 2004-03-08 12:07:23
Subject: HIPAA

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group