From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Doug McNaught <doug(at)mcnaught(dot)org> |
Cc: | David Blewett <david(at)dawninglight(dot)net>, pgsql-general(at)postgresql(dot)org |
Subject: | Re: Page-Level Encryption |
Date: | 2006-01-20 21:36:56 |
Message-ID: | 200601202136.k0KLaum17131@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Doug McNaught wrote:
> David Blewett <david(at)dawninglight(dot)net> writes:
>
> > In reading the documentation of Peter Gutmann's Cryptlib, I came
> > across this section:
> > "The use of crypto devices can also complicate key management, since
> > keys generated or loaded into the device usually can't be extracted
> > again afterwards. This is a security feature that makes external
> > access to the key impossible, and works in the same way as cryptlib's
> > own storing of keys inside it's security perimeter. This means that if
> > you have a crypto device that supports (say) DES and RSA encryption,
> > then to export an encrypted DES key from a context stored in the
> > device, you need to use an RSA context also stored inside the device,
> > since a context located outside the device won't have access to the
> > DES context's key."
> >
> > I'm not familiar with how his library protects keys, but this suggests
> > that it would be possible to use it as a basis for transparent
> > encryption.
>
> He's talking about hardware crypto devices, which most systems don't
> have (though they're certainly available). If you don't have one of
> those, then the key has to be stored in system memory.
FYI, we do have a general encryption documentation section:
http://www.postgresql.org/docs/8.1/static/encryption-options.html
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
From | Date | Subject | |
---|---|---|---|
Next Message | Martijn van Oosterhout | 2006-01-20 21:37:54 | Re: [GENERAL] Creation of tsearch2 index is very slow |
Previous Message | Doug McNaught | 2006-01-20 21:32:58 | Re: Page-Level Encryption |