Обсуждение: Encrypted Disks
Folks, A client is asking us about data security, and keeping data encrypted on disk. I recall there was some discussion about this before, including things like for it to be secure an operator would need to put in a key when the disk is mounted, that once it is mounted anyone with permissions to the disk can read it, etc. Given these drawbacks, I'm wondering if anyone has used an encrypted fs for PostgreSQL and if so, what they found in terms of speed. Would this be a big hit, or would it be pretty low impact? Also, does it cause any potential problems with recovery from a crash, etc? Thanks, Peter Darley
On Thu, 2005-09-22 at 17:18, Peter Darley wrote: > Folks, > > A client is asking us about data security, and keeping data encrypted on > disk. I recall there was some discussion about this before, including > things like for it to be secure an operator would need to put in a key when > the disk is mounted, that once it is mounted anyone with permissions to the > disk can read it, etc. > > Given these drawbacks, I'm wondering if anyone has used an encrypted fs for > PostgreSQL and if so, what they found in terms of speed. Would this be a > big hit, or would it be pretty low impact? Also, does it cause any > potential problems with recovery from a crash, etc? You and your client need to back up and figure out which scenario you're trying to protect against. Encrypting the drive (with an external key) ensures that if someone steals the disks, or gets hold of the raw db files that they can't get the data out. However, if they hack into the machine that is accessing the database, encrypting the drives doesn't nothing for you. So, which scenario are they trying to protect against? Once you know the answer to that question, then you can look at different ways of encrypting the data you are storing.
Scott, The only potential scenario for us is encrypting the disks so if they are stollen the data is safe. It's a small project and it would not be worth it to redesign our system to the extent it would need to be to have data in the fields encrypted while the db is running. So, long and short, I understand that it only protects the data while the drive is not mounted. Thanks, Peter -----Original Message----- From: Scott Marlowe [mailto:smarlowe@g2switchworks.com] Sent: Friday, September 23, 2005 8:24 AM To: Peter Darley Cc: Pgsql-Admin Subject: Re: [ADMIN] Encrypted Disks On Thu, 2005-09-22 at 17:18, Peter Darley wrote: > Folks, > > A client is asking us about data security, and keeping data encrypted on > disk. I recall there was some discussion about this before, including > things like for it to be secure an operator would need to put in a key when > the disk is mounted, that once it is mounted anyone with permissions to the > disk can read it, etc. > > Given these drawbacks, I'm wondering if anyone has used an encrypted fs for > PostgreSQL and if so, what they found in terms of speed. Would this be a > big hit, or would it be pretty low impact? Also, does it cause any > potential problems with recovery from a crash, etc? You and your client need to back up and figure out which scenario you're trying to protect against. Encrypting the drive (with an external key) ensures that if someone steals the disks, or gets hold of the raw db files that they can't get the data out. However, if they hack into the machine that is accessing the database, encrypting the drives doesn't nothing for you. So, which scenario are they trying to protect against? Once you know the answer to that question, then you can look at different ways of encrypting the data you are storing.
Well then, a loop back mounted encrypted file system should do the trick. Note that other methods could work as well, but not require an encrypted file system, such as two key (public/private i.e. pki) encryption, where the key used for encrypting could be kept on the server, and the decryption key is kept in the client side, so that the data on the server is also rendered useless should the server / drives get stolen. I've found the page for encfs here: http://arg0.net/wiki/encfs There are other sites, but they appear fairly old, circa 1999 or so, and based on the linux 2.2 kernel. On Fri, 2005-09-23 at 12:39, Peter Darley wrote: > Scott, > > The only potential scenario for us is encrypting the disks so if they are > stollen the data is safe. It's a small project and it would not be worth it > to redesign our system to the extent it would need to be to have data in the > fields encrypted while the db is running. So, long and short, I understand > that it only protects the data while the drive is not mounted. > > Thanks, > Peter > > -----Original Message----- > From: Scott Marlowe [mailto:smarlowe@g2switchworks.com] > Sent: Friday, September 23, 2005 8:24 AM > To: Peter Darley > Cc: Pgsql-Admin > Subject: Re: [ADMIN] Encrypted Disks > > > On Thu, 2005-09-22 at 17:18, Peter Darley wrote: > > Folks, > > > > A client is asking us about data security, and keeping data encrypted on > > disk. I recall there was some discussion about this before, including > > things like for it to be secure an operator would need to put in a key > when > > the disk is mounted, that once it is mounted anyone with permissions to > the > > disk can read it, etc. > > > > Given these drawbacks, I'm wondering if anyone has used an encrypted fs > for > > PostgreSQL and if so, what they found in terms of speed. Would this be a > > big hit, or would it be pretty low impact? Also, does it cause any > > potential problems with recovery from a crash, etc? > > You and your client need to back up and figure out which scenario you're > trying to protect against. > > Encrypting the drive (with an external key) ensures that if someone > steals the disks, or gets hold of the raw db files that they can't get > the data out. > > However, if they hack into the machine that is accessing the database, > encrypting the drives doesn't nothing for you. > > So, which scenario are they trying to protect against? Once you know > the answer to that question, then you can look at different ways of > encrypting the data you are storing. >
Scott, I was hoping that someone with some experience could comment on how much this would slow down PostgreSQL, or weither it is likely to introduce some instabilities... Thanks, Peter Darley -----Original Message----- From: pgsql-admin-owner@postgresql.org [mailto:pgsql-admin-owner@postgresql.org]On Behalf Of Scott Marlowe Sent: Friday, September 23, 2005 11:47 AM To: Peter Darley Cc: Pgsql-Admin Subject: Re: [ADMIN] Encrypted Disks Well then, a loop back mounted encrypted file system should do the trick. Note that other methods could work as well, but not require an encrypted file system, such as two key (public/private i.e. pki) encryption, where the key used for encrypting could be kept on the server, and the decryption key is kept in the client side, so that the data on the server is also rendered useless should the server / drives get stolen. I've found the page for encfs here: http://arg0.net/wiki/encfs There are other sites, but they appear fairly old, circa 1999 or so, and based on the linux 2.2 kernel. On Fri, 2005-09-23 at 12:39, Peter Darley wrote: > Scott, > > The only potential scenario for us is encrypting the disks so if they are > stollen the data is safe. It's a small project and it would not be worth it > to redesign our system to the extent it would need to be to have data in the > fields encrypted while the db is running. So, long and short, I understand > that it only protects the data while the drive is not mounted. > > Thanks, > Peter > > -----Original Message----- > From: Scott Marlowe [mailto:smarlowe@g2switchworks.com] > Sent: Friday, September 23, 2005 8:24 AM > To: Peter Darley > Cc: Pgsql-Admin > Subject: Re: [ADMIN] Encrypted Disks > > > On Thu, 2005-09-22 at 17:18, Peter Darley wrote: > > Folks, > > > > A client is asking us about data security, and keeping data encrypted on > > disk. I recall there was some discussion about this before, including > > things like for it to be secure an operator would need to put in a key > when > > the disk is mounted, that once it is mounted anyone with permissions to > the > > disk can read it, etc. > > > > Given these drawbacks, I'm wondering if anyone has used an encrypted fs > for > > PostgreSQL and if so, what they found in terms of speed. Would this be a > > big hit, or would it be pretty low impact? Also, does it cause any > > potential problems with recovery from a crash, etc? > > You and your client need to back up and figure out which scenario you're > trying to protect against. > > Encrypting the drive (with an external key) ensures that if someone > steals the disks, or gets hold of the raw db files that they can't get > the data out. > > However, if they hack into the machine that is accessing the database, > encrypting the drives doesn't nothing for you. > > So, which scenario are they trying to protect against? Once you know > the answer to that question, then you can look at different ways of > encrypting the data you are storing. > ---------------------------(end of broadcast)--------------------------- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match