Re: pgcrypto question
| От | Tomas Vondra |
|---|---|
| Тема | Re: pgcrypto question |
| Дата | |
| Msg-id | 20191007180842.j6jqgcirhsnbqp2x@development обсуждение исходный текст |
| Ответ на | pgcrypto question (Erik Aronesty <earonesty@gmail.com>) |
| Ответы |
Re: pgcrypto question
|
| Список | pgsql-general |
On Mon, Oct 07, 2019 at 12:05:16PM -0400, Erik Aronesty wrote: >Currently, it is my understanding that the pgcrypto library requires >the user to send a password or private key up to the server for >decryption. > Correct. In the naive case the key is included in each SQL query, which does have various issues. Bruce Momjian has a nice extension that allows you to fix that by loading the key into backend memory: http://momjian.us/download/pgcryptokey/ >Is there a notion of a client-side encrypt/decrypt plugin when doing a >postgres query? > >For example, a user could query postgres, get back data of type >"encrypted", and a "libpq" plugin could decode/decrypt those columns >that are of data type "encrypted".... in a manner transparent to the >user of the client.... > >Obviously I could write this by intercepting the relevant libpq calls >using LD_PRELOAD or Microsoft's "Detours" ... but it there a better >way to do that? > AFAIk that's usually done at the application level, i.e. the application is sending/receiving encrypted data, and the database simply sees bytea columns. I'm not aware of a driver doing that transparently, but it seems like an interesting idea - I wonder if it could be done e.g. in psycopg as an extension, or something like that. regards -- Tomas Vondra http://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
В списке pgsql-general по дате отправления: