Re: Database level encryption

On 04/05/2010 01:46 PM, Kevin Grittner wrote:
> Scott Marlowe <scott.marlowe@gmail.com> wrote:
>> Timothy Madden <terminatorul@gmail.com> wrote:
>
>>> My scenario is how to protect the database if the machine is
>>> stolen (it is a mini-laptop), and I would like to encrypt the
>>> entire database, that is all columns of all tables, and if
>>> possible everything else found in the database.
>>>
>>> I would like all searching and sorting functions, just like with
>>> a normal database (that is, transparent encryption for the
>>> application level). The password will be entered by a human in
>>> order to start the application.
>
>> Everything you've said so far points to using a mounted encrypted
>> drive to store the db.
>
> Agreed.  I know you explicitly said you didn't want to use that in
> your original post, but you didn't say why.  I don't think you're
> going to convince anyone here to put effort into something you can
> configure to "just work" with so little trouble on existing systems,
> without a really good argument.

Agreed here also. I don't see any reason for Postgres to provide this
sort of functionality when it can be done at the OS level. There is
going to be a significant performance hit -- that is why I would suggest
careful analysis and selective encryption instead. But if that isn't
important, an encrypted drive is probably the only option.

Joe