Thread: Security and Data Protection Issues
I am setting up a postgres database on a standalone system with a randomized text password. However, the db will containvery sensitive data and my boss is worried about the possibility of someone being able to crack the db data if theystole the machine. Can anyone point me to information about how securely the data is stored? Or is my only option tohash all my data?<br /><br />Thanks in advance. <br />
Stuart Gundry wrote: > I am setting up a postgres database on a standalone system with a randomized > text password. However, the db will contain very sensitive data and my boss > is worried about the possibility of someone being able to crack the db data > if they stole the machine. Can anyone point me to information about how > securely the data is stored? Or is my only option to hash all my data? The best you can do IMHO is keep all of your database on an encrypted partition (think dm-crypt ir truecrypt). Other than that, if someone steals your box, you're cooked. If you're not willing to pay the overhead of having everything encrypted, I think you could set up a tablespace on an encrypted partition and have only the tables with sensitive data on it (and WAL logs). Cheers, Jan -- Jan Urbanski GPG key ID: E583D7D2 ouden estin
Thank you, I'm also curious as to whether the data folder is already in some way encrypted and if so, what encryption/obfuscationis being used. There doesn't seem to be anything about this on the web.<br />
Stuart Gundry wrote: > Thank you, I'm also curious as to whether the data folder is already in some > way encrypted and if so, what encryption/obfuscation is being used. There > doesn't seem to be anything about this on the web. No encryption, although large text fields may be compressed (read up on TOAST) so not readable as plain-text. -- Richard Huxton Archonet Ltd
Stuart Gundry wrote: > Been looking into truecrypt but can't seem to get it to play nice with > postgres silent installer. When I try to set the BASEDIR="M:\", which is > where I mounted my encrypted volume it gives the following error in the log > > The Cacls command can be run only on disk drives that use the NTFS file > system. Hmm, and are sure that the encrypted partition is seen by the system as a NTFS partition? > It sounded like you've done this before so I was hoping you could give me > some pointers. I know its not the rest of my install command since I've used > that many times before. I've done that, but not on Windows, so I'm not really sure how that'll work. Maybe someone with more Windows experience could help here? BTW: you could try and install Postgres as usual, and just keep your WAL logs directory and all data from the tables on the encrypted partition. Just read the documentation on CREATE TABLESPACE and about moving the pg_xlog directory. > Thank you for your time You're welcome ;) Cheers, Jan -- Jan Urbanski GPG key ID: E583D7D2 ouden estin
Stuart Gundry wrote: > I am setting up a postgres database on a standalone system with a randomized > text password. However, the db will contain very sensitive data and my boss > is worried about the possibility of someone being able to crack the db data > if they stole the machine. Can anyone point me to information about how > securely the data is stored? Or is my only option to hash all my data? We have documentation about this: http://www.postgresql.org/docs/8.3/static/encryption-options.html -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. +