Обсуждение: Security and Data Protection Issues

I am setting up a postgres database on a standalone system with a randomized text password. However, the db will
containvery sensitive data and my boss is worried about the possibility of someone being able to crack the db data if
theystole the machine. Can anyone point me to information about how securely the data is stored? Or is my only option
tohash all my data?<br /><br />Thanks in advance. <br /> 

Stuart Gundry wrote:
> I am setting up a postgres database on a standalone system with a randomized
> text password. However, the db will contain very sensitive data and my boss
> is worried about the possibility of someone being able to crack the db data
> if they stole the machine. Can anyone point me to information about how
> securely the data is stored? Or is my only option to hash all my data?

The best you can do IMHO is keep all of your database on an encrypted 
partition (think dm-crypt ir truecrypt). Other than that, if someone 
steals your box, you're cooked.

If you're not willing to pay the overhead of having everything 
encrypted, I think you could set up a tablespace on an encrypted 
partition and have only the tables with sensitive data on it (and WAL logs).

Cheers,
Jan

-- 
Jan Urbanski
GPG key ID: E583D7D2

ouden estin

Thank you, I'm also curious as to whether the data folder is already in some way encrypted and if so, what
encryption/obfuscationis being used. There doesn't seem to be anything about this on the web.<br /> 

Stuart Gundry wrote:
> Thank you, I'm also curious as to whether the data folder is already in some
> way encrypted and if so, what encryption/obfuscation is being used. There
> doesn't seem to be anything about this on the web.

No encryption, although large text fields may be compressed (read up on 
TOAST) so not readable as plain-text.

--   Richard Huxton  Archonet Ltd

Stuart Gundry wrote:
> Been looking into truecrypt but can't seem to get it to play nice with
> postgres silent installer. When I try to set the BASEDIR="M:\", which is
> where I mounted my encrypted volume it gives the following error in the log
> 
> The Cacls command can be run only on disk drives that use the NTFS file
> system.

Hmm, and are sure that the encrypted partition is seen by the system as 
a NTFS partition?

> It sounded like you've done this before so I was hoping you could give me
> some pointers. I know its not the rest of my install command since I've used
> that many times before.

I've done that, but not on Windows, so I'm not really sure how that'll 
work. Maybe someone with more Windows experience could help here?

BTW: you could try and install Postgres as usual, and just keep your WAL 
logs directory and all data from the tables on the encrypted partition.
Just read the documentation on CREATE TABLESPACE and about moving the 
pg_xlog directory.

> Thank you for your time

You're welcome ;)

Cheers,
Jan

-- 
Jan Urbanski
GPG key ID: E583D7D2

ouden estin

Stuart Gundry wrote:
> I am setting up a postgres database on a standalone system with a randomized
> text password. However, the db will contain very sensitive data and my boss
> is worried about the possibility of someone being able to crack the db data
> if they stole the machine. Can anyone point me to information about how
> securely the data is stored? Or is my only option to hash all my data?

We have documentation about this:
http://www.postgresql.org/docs/8.3/static/encryption-options.html

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + If your life is a hard drive, Christ can be your backup. +