Skip site navigation (1) Skip section navigation (2)

Re: pgcrypto and database encryption

From: Silvana Di Martino <silvanadimartino(at)tin(dot)it>
To: matt(at)ymogen(dot)net, "Joe Conway" <mail(at)joeconway(dot)com>
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: pgcrypto and database encryption
Date: 2004-03-08 09:46:48
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-admin
Alle 22:16, domenica 7 marzo 2004, matt(at)ymogen(dot)net ha scritto:
> The EU directive (and therefore the laws of indiviual countries) requires
> that  if someone gets access to your *DATABASE* they cannot get personal
> details of individuals out of it.  That is all.  It is intended to protect
> people against the kind of idiotic organisations that put their customer
> lists in an Excel sheet on their extranet without a password.
> This thread has covered many interesting and diverting issues, but the
> fundamental issue of legal compliance is more than satisfied by:
> 1)   Encrypting 'personal information' stored in a DB

Fine! Now tell me: how do you perform such encryption on PostgreSQL? Using 
pgcrypto and suppling your password from external (PHP, Python) code? Where 
do you store this password? In a config.php file? How many different 
encryption/decryption programs/implementations/logics are you willing to have 
on your "n" PostgreSQL servers? How do you maintain them (after the original 
programmers are gone)?

Using a few commercial RDBMS, it is just a matter to switch the encryption 
feature on and supply the required password each time you start the RDBMS 
service up. Unfortunately, PostgreSQL does not supply us with such a 
comfortable feature. So, how many commercial licenses of your favorite 
commercial RDBMS are you willing (or can you afford) to buy to replace all 
your PostgreSQL servers? How much time (programmer's working hours, each at 
50 Euro average cost) are you  willing to invest in converting your 
PostgreSQL databases to SQL Server, for example?

I'm perfectly aware that law is clear and simple. Nevertheless, its 
implementation isn't.

> 2)   Keeping the keys on a different server than the DB

Fine. How and when do you supply the password to the encryption/decryption 
process? On demand? At postmaster init time? Using which channel/method? 
XML-RPC? SOAP? How do you protect them from a hacker's program that tries to 
impersonate the legitimate encrypting program and ask for it?

Once again, Devil is in the details...

> 3)   Making reasonable efforts [1] to keep those keys secrets

> [1]  As far as I can tell from discussions with the Data Protection
> Registrar, you do not have to protect them against someone rooting the app
> server (since that is essentially impossible without silly investments in
> specialised hardware or other excessive costs).

What does "reasonable" mean? We defined already that we are not forced to 
replace Police in fighting organized crime but we still have to define a lot 
of details. For example: 15.000 euro for a new database license and the 
porting of data is a "silly investemen" or a "reasonable investement"? Read 
the italian law and you will get surprised from the answer.

Again, I'm sorry to bother you all with such details. Just give me a solution 
(that is: a PostgreSQL database encryption method I can actually use) and I 
will let you alone.

See you.
Alessandro Bottoni and Silvana Di Martino

In response to

pgsql-admin by date

Next:From: Amit KushDate: 2004-03-08 10:12:22
Subject: Re: Help! Regarding Pg for posgreSQL
Previous:From: Peter GalbavyDate: 2004-03-08 09:32:55
Subject: Re: Database Encryption (now required by law in Italy)

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group