Security and Data Protection Issues

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Security and Data Protection Issues

Stuart Gundry
I am setting up a postgres database on a standalone system with a randomized text password. However, the db will contain very sensitive data and my boss is worried about the possibility of someone being able to crack the db data if they stole the machine. Can anyone point me to information about how securely the data is stored? Or is my only option to hash all my data?

Thanks in advance.
Reply | Threaded
Open this post in threaded view
|

Re: Security and Data Protection Issues

Jan Urbański
Stuart Gundry wrote:
> I am setting up a postgres database on a standalone system with a randomized
> text password. However, the db will contain very sensitive data and my boss
> is worried about the possibility of someone being able to crack the db data
> if they stole the machine. Can anyone point me to information about how
> securely the data is stored? Or is my only option to hash all my data?

The best you can do IMHO is keep all of your database on an encrypted
partition (think dm-crypt ir truecrypt). Other than that, if someone
steals your box, you're cooked.

If you're not willing to pay the overhead of having everything
encrypted, I think you could set up a tablespace on an encrypted
partition and have only the tables with sensitive data on it (and WAL logs).

Cheers,
Jan

--
Jan Urbanski
GPG key ID: E583D7D2

ouden estin

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Security and Data Protection Issues

Stuart Gundry
Thank you, I'm also curious as to whether the data folder is already in some way encrypted and if so, what encryption/obfuscation is being used. There doesn't seem to be anything about this on the web.
Reply | Threaded
Open this post in threaded view
|

Re: Security and Data Protection Issues

Richard Huxton
Stuart Gundry wrote:
> Thank you, I'm also curious as to whether the data folder is already in some
> way encrypted and if so, what encryption/obfuscation is being used. There
> doesn't seem to be anything about this on the web.

No encryption, although large text fields may be compressed (read up on
TOAST) so not readable as plain-text.

--
   Richard Huxton
   Archonet Ltd

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Security and Data Protection Issues

Jan Urbański
In reply to this post by Jan Urbański
Stuart Gundry wrote:
> Been looking into truecrypt but can't seem to get it to play nice with
> postgres silent installer. When I try to set the BASEDIR="M:\", which is
> where I mounted my encrypted volume it gives the following error in the log
>
> The Cacls command can be run only on disk drives that use the NTFS file
> system.

Hmm, and are sure that the encrypted partition is seen by the system as
a NTFS partition?

> It sounded like you've done this before so I was hoping you could give me
> some pointers. I know its not the rest of my install command since I've used
> that many times before.

I've done that, but not on Windows, so I'm not really sure how that'll
work. Maybe someone with more Windows experience could help here?

BTW: you could try and install Postgres as usual, and just keep your WAL
logs directory and all data from the tables on the encrypted partition.
Just read the documentation on CREATE TABLESPACE and about moving the
pg_xlog directory.

> Thank you for your time

You're welcome ;)

Cheers,
Jan

--
Jan Urbanski
GPG key ID: E583D7D2

ouden estin

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Security and Data Protection Issues

Bruce Momjian
In reply to this post by Stuart Gundry
Stuart Gundry wrote:
> I am setting up a postgres database on a standalone system with a randomized
> text password. However, the db will contain very sensitive data and my boss
> is worried about the possibility of someone being able to crack the db data
> if they stole the machine. Can anyone point me to information about how
> securely the data is stored? Or is my only option to hash all my data?

We have documentation about this:

        http://www.postgresql.org/docs/8.3/static/encryption-options.html

--
  Bruce Momjian  <[hidden email]>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers