| From: | "Sandeep Agarwal" <sandeepagarwal(dot)1980(at)gmail(dot)com> |
|---|---|
| To: | "Michael Fuhr" <mike(at)fuhr(dot)org> |
| Cc: | pgsql-novice(at)postgresql(dot)org |
| Subject: | Re: Data Encryption |
| Date: | 2007-03-29 10:55:48 |
| Message-ID: | 7e507c800703290355m4364243fq7c223df09028aab5@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-novice |
On 3/29/07, Michael Fuhr <mike(at)fuhr(dot)org> wrote:
> On Thu, Mar 29, 2007 at 01:56:34PM +0530, Sandeep Agarwal wrote:
> > i am new to postgres and am puzzled how to solve the untrusted admin
> > problem.
> >
> > i am having very sensitive data (accounts and payroll) on postgresql
> > server. the goal i want to achive is that even the sys. admin/database
> > admin. should be able to read the data. i understand that the solution
> > lies in encrypting the fields.
>
> Do you mean that "even the sys. admin/database admin. should NOT
> be able to read the data"? If so then you must perform encryption
> and decryption on a secure machine to which only trusted personnel
> have access. Assume that admins can read all memory, swap space,
> files, and network connections and can trace any process on the
> system.
thanks for the suggestion
> If your threat model includes untrusted admins then also consider
> what kind of responsibility the admins have over the data even if
> they can't read it. Do you trust them not to manipulate, destroy,
> or otherwise render the data unrecoverable, either intentionally
> or accidentally? Do you have a way of ensuring the safety, integrity,
> and availability of the backups those admins will be performing?
yes i can trust the admin that they will not alter / destroy the data.
> > the fields i would like to encrypt are numeric. according to my
> > understanding SQL queirues in the application will fail due to this.
> > is it possible to accomplish this task ?
>
> The PostgreSQL documentation discusses encryption options:
>
> http://www.postgresql.org/docs/8.2/interactive/encryption-options.html
>
> As "Client-Side Encryption" says, if you don't trust the admins
> then you'll need to encrypt the data before it reaches the database.
>
> > i am using postgres 8.1, its a perl based application running on apache.
>
> If you're responsible for "very sensitive data" then consider hiring
> a security expert. Security is easy to get wrong; the strongest
> encryption algorithms are worthless if misused or if used properly
> in an unsecure environment.
>
> "The world is full of bad security systems designed by people who
> have read _Applied Cryptography_."[1]
>
> [1] Niels Ferguson and Bruce Schneier quoting an unnamed source in
> _Practical Cryptography_, p 382.
>
> --
> Michael Fuhr
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | nhrcommu | 2007-03-29 11:15:29 | Re: Data Encryption |
| Previous Message | Michael Fuhr | 2007-03-29 10:44:21 | Re: Data Encryption |