Thread: database encryption

database encryption

From

Olivier Boissard

Date:

07 February 2007, 06:53:05

Hello,

I'd like to know which solutions exist encrypt postgresql database ?
Did you already use an encryption method ?

I saw on the web that there is a contrib (pgcypto) but I can't estimate
its efficiency

Olivier

Attachment

olivier.boissard.vcf

Re: database encryption

From

Andrew Sullivan

Date:

07 February 2007, 10:36:01

On Wed, Feb 07, 2007 at 11:23:03AM +0100, Olivier Boissard wrote:
> I saw on the web that there is a contrib (pgcypto) but I can't estimate
> its efficiency

Well, it works for some people.  What are you trying to accomplish
with "database encryption"?

A

--
Andrew Sullivan  | ajs@crankycanuck.ca
The whole tendency of modern prose is away from concreteness.
        --George Orwell

Re: database encryption

From

Olivier Boissard

Date:

08 February 2007, 04:13:51

Andrew Sullivan a écrit :
> On Wed, Feb 07, 2007 at 11:23:03AM +0100, Olivier Boissard wrote:
>
>> I saw on the web that there is a contrib (pgcypto) but I can't estimate
>> its efficiency
>>
>
> Well, it works for some people.  What are you trying to accomplish
> with "database encryption"?
>
> A
>
>
I would like to insert sensitive data into postgresql tables.
These informations must be well-protected as they are confidential but
they must be "decrypted" by php programs too.
(These PHP programs will be encrypted by php encryptions program.)

I was thinking about a system in which only the php programs will be
able to manage stored informations. In case of  theft or unexpected
access to servers nobody could be able to retrieve the stored data
without the authorized key.

Olivier

Attachment

olivier.boissard.vcf

Re: database encryption

From

Michael Fuhr

Date:

08 February 2007, 07:53:11

On Thu, Feb 08, 2007 at 09:13:48AM +0100, Olivier Boissard wrote:
> I was thinking about a system in which only the php programs will be
> able to manage stored informations. In case of  theft or unexpected
> access to servers nobody could be able to retrieve the stored data
> without the authorized key.

What about theft or compromise of the server running the PHP code?
In general it's a good idea to encrypt and decrypt as close to where
the cleartext is needed to limit exposure, but you should also
consider the vulnerability of the system that holds the key.  For
some applications it might make sense to use public-key encryption
with the exposed (e.g., Internet-facing) server having only the
public (encryption) key and a more protected backend server having
the corresponding private (decryption) key.

Without knowing the requirements and the threat model it's impossible
to suggest a suitable solution.  Can you be more specific about what
you're trying to do?

--
Michael Fuhr

Re: database encryption

From

Bruce Momjian

Date:

08 February 2007, 10:32:26

Michael Fuhr wrote:
> On Thu, Feb 08, 2007 at 09:13:48AM +0100, Olivier Boissard wrote:
> > I was thinking about a system in which only the php programs will be
> > able to manage stored informations. In case of  theft or unexpected
> > access to servers nobody could be able to retrieve the stored data
> > without the authorized key.
>
> What about theft or compromise of the server running the PHP code?
> In general it's a good idea to encrypt and decrypt as close to where
> the cleartext is needed to limit exposure, but you should also
> consider the vulnerability of the system that holds the key.  For
> some applications it might make sense to use public-key encryption
> with the exposed (e.g., Internet-facing) server having only the
> public (encryption) key and a more protected backend server having
> the corresponding private (decryption) key.
>
> Without knowing the requirements and the threat model it's impossible
> to suggest a suitable solution.  Can you be more specific about what
> you're trying to do?

We do have an encryption section in our documentation:

    http://www.postgresql.org/docs/8.2/static/encryption-options.html


--
  Bruce Momjian  <bruce@momjian.us>          http://momjian.us
  EnterpriseDB                               http://www.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

Re: database encryption

From

Olivier Boissard

Date:

09 February 2007, 07:38:12

Bruce Momjian a écrit :
> Michael Fuhr wrote:
>
>> On Thu, Feb 08, 2007 at 09:13:48AM +0100, Olivier Boissard wrote:
>>
>>> I was thinking about a system in which only the php programs will be
>>> able to manage stored informations. In case of  theft or unexpected
>>> access to servers nobody could be able to retrieve the stored data
>>> without the authorized key.
>>>
>> What about theft or compromise of the server running the PHP code?
>> In general it's a good idea to encrypt and decrypt as close to where
>> the cleartext is needed to limit exposure, but you should also
>> consider the vulnerability of the system that holds the key.  For
>> some applications it might make sense to use public-key encryption
>> with the exposed (e.g., Internet-facing) server having only the
>> public (encryption) key and a more protected backend server having
>> the corresponding private (decryption) key.
>>
>> Without knowing the requirements and the threat model it's impossible
>> to suggest a suitable solution.  Can you be more specific about what
>> you're trying to do?
>>
>
> We do have an encryption section in our documentation:
>
>     http://www.postgresql.org/docs/8.2/static/encryption-options.html
>
>
>
Thanks for responses.
I expose the context of my question :

I need to install a server for a specific web application written in PHP.
This one works by making queries to a postgresql database. The database
contains confidential data.
For several reasons the server will be installed inside the Local
network of our client. I will not be able to supervise and control it.
As it's a fussy situation I am thinking about encryption.
I was thinking about PHP encryption solution (Zend or Ioncube) for the
web application protection.
But sensitive data must be protected too.
Pgcrypto seemed to be the encryption solution but I am not sure it's a
good idea because all keys will be located on server ( if I have well
understood) and the documention explain that the data will appear on
"clear text" for a short period.

Olivier

Attachment

olivier.boissard.vcf

Re: database encryption

From

Bruno Wolff III

Date:

09 February 2007, 12:28:45

On Fri, Feb 09, 2007 at 09:03:20 +0100,
  Olivier Boissard <olivier.boissard@cerene.fr> wrote:
> Thanks for responses.
> I expose the context of my question :
>
> I need to install a server for a specific web application written in PHP.
> This one works by making queries to a postgresql database. The database
> contains confidential data.

Who are you trying to keep this data from? Does this include the client?
Who needs to see the decrypted data? Does the database need to in order
to efficiently do queries? Does the webserver/php server need to or does
it produce output that the end user can download and decrypt on their end?

> For several reasons the server will be installed inside the Local
> network of our client. I will not be able to supervise and control it.

Again, is your client being treated as an opponent? Are you worried about
other threats such as stolen servers or back up tapes?

> As it's a fussy situation I am thinking about encryption.
> I was thinking about PHP encryption solution (Zend or Ioncube) for the
> web application protection.
> But sensitive data must be protected too.

Again, from who?

> Pgcrypto seemed to be the encryption solution but I am not sure it's a
> good idea because all keys will be located on server ( if I have well
> understood) and the documention explain that the data will appear on
> "clear text" for a short period.

Whether or not that is a problem depends on what kind of attacks you are
trying to protect against. If you are trying to protect against the case
where the db server gets owned, having the keys on the server will make them
available to the attacker.