Обсуждение: Postgres security issue - protecting datafiles
Hi, I'd like to use postgres to store my secret data in a way that only me (the DBA, owner of the table) can access the talbe while the root (system administrator) who installed and maintains the server - will not be able to see the data. Now, I think that "db authentication" is simply not enough , because the administrator can copy the data files to his own machine (where he is the owner of the database). Is there a way to protect the data files, so even the "malicious administrator" cannot see the data ? tnx, zferentz
On Mon, Jun 2, 2008 at 6:16 PM, <zferentz@gmail.com> wrote: > Is there a way to protect the data files, so even the "malicious > administrator" cannot see the data ? Encrypt it. Though, how you store the key will be important. -- Jonah H. Harris, Sr. Software Architect | phone: 732.331.1324 EnterpriseDB Corporation | fax: 732.331.1301 499 Thornall Street, 2nd Floor | jonah.harris@enterprisedb.com Edison, NJ 08837 | http://www.enterprisedb.com/
On Mon, Jun 02, 2008 at 03:16:54PM -0700, zferentz@gmail.com wrote: > I'd like to use postgres to store my secret data in a way that only > me (the DBA, owner of the table) can access the talbe while the root > (system administrator) who installed and maintains the server - will > not be able to see the data. > > Now, I think that "db authentication" is simply not enough , because > the administrator can copy the data files to his own machine (where he > is the owner of the database). > > Is there a way to protect the data files, so even the "malicious > administrator" cannot see the data ? I suppose, you need to look into SELinux. That might give you the infrastructure for such purposes, together with an encrypted file system for DB space. That's not something you can do via an application. As you already noticed, anybody with access to the physical table data will be able to copy it. Of course, you could encrypt the data stored in the table, but then: where's the key for decryption? Tino. -- "What we resist, persists." (Zen saying) www.craniosacralzentrum.de www.forteego.de
> Now, I think that "db authentication" is simply not enough , because > the administrator can copy the data files to his own machine (where he > is the owner of the database). Or just change pg_hba.conf to his taste.... > Is there a way to protect the data files, so even the "malicious > administrator" cannot see the data ? Encrypt it. And keep the key on some other machine. And plan your application so decryption happens on some other machine -- ---------------------------------------------------------------------- | Marcin Kasperski | Communication takes place between people, | http://mekk.waw.pl | documents are secondary. (Booch) | | ----------------------------------------------------------------------
zferentz@gmail.com writes: > I'd like to use postgres to store my secret data in a way that only > me (the DBA, owner of the table) can access the talbe while the root > (system administrator) who installed and maintains the server - will > not be able to see the data. If you think you can hide anything on a machine from its root admin, I have a bridge I'd like to sell you ... The only thing you could do along this line is to use the database as a dumb container for encrypted data that you decrypt only on the client side, using keys that are never sent to the database server. Unfortunately that approach loses most of the benefit of using a database in the first place, since you can hardly do any useful processing on data that you can't decrypt. regards, tom lane
Thnx for the input.
I have another solution, which i tried to avoid : my company provides file/folder-level encryption . i can apply this encryption with specific configuration for the postgres processes . this way - even the root cannot access the data, the only one that can access the database-files is the owner of the database (which can be the DBA , but can be some1 else as well...)
I tried to avoid this solution, but now i understand that i don't have any other choice.
encrypting the data will be useless, because i cannot SELECT by text/range/dates....
tnx
On Wed, Jun 4, 2008 at 7:11 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
zferentz@gmail.com writes:If you think you can hide anything on a machine from its root admin,
> I'd like to use postgres to store my secret data in a way that only
> me (the DBA, owner of the table) can access the talbe while the root
> (system administrator) who installed and maintains the server - will
> not be able to see the data.
I have a bridge I'd like to sell you ...
The only thing you could do along this line is to use the database as a
dumb container for encrypted data that you decrypt only on the client
side, using keys that are never sent to the database server.
Unfortunately that approach loses most of the benefit of using a
database in the first place, since you can hardly do any useful
processing on data that you can't decrypt.
regards, tom lane
On Dienstag, 10. Juni 2008 Zvi Fer wrote: > I have another solution, which i tried to avoid : my company provides > file/folder-level encryption . i can apply this encryption with > specific configuration for the postgres processes . this way - even > the root cannot access the data, the only one that can access the > database-files is the owner of the database (which can be the DBA , > but can be some1 else as well...) And where is the decrypt key stored? If you crypt a folder, you need the key, but root must be able to access the key - or is it hard coded into software? mfg zmi -- // Michael Monnerie, Ing.BSc ----- http://it-management.at // Tel: 0660 / 415 65 31 .network.your.ideas. // PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import" // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4 // Keyserver: www.keyserver.net Key-ID: 1C1209B4