1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>16.6.Encryption Options</title>
<link rel="stylesheet" href="stylesheet.css" type="text/css">
<link rev="made" href="pgsql-docs@postgresql.org">
<meta name="generator" content="DocBook XSL Stylesheets V1.70.0">
<link rel="start" href="index.html" title="PostgreSQL 8.1.4 Documentation">
<link rel="up" href="runtime.html" title="Chapter16.Operating System Environment">
<link rel="prev" href="postmaster-shutdown.html" title="16.5.Shutting Down the Server">
<link rel="next" href="ssl-tcp.html" title="16.7.Secure TCP/IP Connections with SSL">
<link rel="copyright" href="ln-legalnotice.html" title="Legal Notice">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="encryption-options"></a>16.6.Encryption Options</h2></div></div></div>
<a name="id644262"></a><p> <span class="productname">PostgreSQL</span> offers encryption at several
levels, and provides flexibility in protecting data from disclosure
due to database server theft, unscrupulous administrators, and
insecure networks. Encryption might also be required to secure
sensitive data such as medical records or financial transactions.
</p>
<div class="variablelist"><dl>
<dt><span class="term">Password Storage Encryption</span></dt>
<dd><p> By default, database user passwords are stored as MD5 hashes, so
the administrator cannot determine the actual password assigned
to the user. If MD5 encryption is used for client authentication,
the unencrypted password is never even temporarily present on the
server because the client MD5 encrypts it before being sent
across the network.
</p></dd>
<dt><span class="term">Encryption For Specific Columns</span></dt>
<dd>
<p> The <code class="filename">/contrib</code> function library
<code class="function">pgcrypto</code> allows certain fields to be stored
encrypted. This is useful if only some of the data is sensitive.
The client supplies the decryption key and the data is decrypted
on the server and then sent to the client.
</p>
<p> The decrypted data and the decryption key are present on the
server for a brief time while it is being decrypted and
communicated between the client and server. This presents a brief
moment where the data and keys can be intercepted by someone with
complete access to the database server, such as the system
administrator.
</p>
</dd>
<dt><span class="term">Data Partition Encryption</span></dt>
<dd>
<p> On Linux, encryption can be layered on top of a file system mount
using a “<span class="quote">loopback device</span>”. This allows an entire
file system partition be encrypted on disk, and decrypted by the
operating system. On FreeBSD, the equivalent facility is called
GEOM Based Disk Encryption, or <acronym class="acronym">gbde</acronym>.
</p>
<p> This mechanism prevents unencrypted data from being read from the
drives if the drives or the entire computer is stolen. This does
not protect against attacks while the file system is mounted,
because when mounted, the operating system provides an unencrypted
view of the data. However, to mount the file system, you need some
way for the encryption key to be passed to the operating system,
and sometimes the key is stored somewhere on the host that mounts
the disk.
</p>
</dd>
<dt><span class="term">Encrypting Passwords Across A Network</span></dt>
<dd><p> The <code class="literal">MD5</code> authentication method double-encrypts the
password on the client before sending it to the server. It first
MD5 encrypts it based on the user name, and then encrypts it
based on a random salt sent by the server when the database
connection was made. It is this double-encrypted value that is
sent over the network to the server. Double-encryption not only
prevents the password from being discovered, it also prevents
another connection from using the same encrypted password to
connect to the database server at a later time.
</p></dd>
<dt><span class="term">Encrypting Data Across A Network</span></dt>
<dd><p> SSL connections encrypt all data sent across the network: the
password, the queries, and the data returned. The
<code class="filename">pg_hba.conf</code> file allows administrators to specify
which hosts can use non-encrypted connections (<code class="literal">host</code>)
and which require SSL-encrypted connections
(<code class="literal">hostssl</code>). Also, clients can specify that they
connect to servers only via SSL. <span class="application">Stunnel</span> or
<span class="application">SSH</span> can also be used to encrypt transmissions.
</p></dd>
<dt><span class="term">SSL Host Authentication</span></dt>
<dd><p>
It is possible for both the client and server to provide SSL keys
or certificates to each other. It takes some extra configuration
on each side, but this provides stronger verification of identity
than the mere use of passwords. It prevents a computer from
pretending to be the server just long enough to read the password
send by the client. It also helps prevent "man in the middle"
attacks where a computer between the client and server pretends to
be the server and reads and passes all data between the client and
server.
</p></dd>
<dt><span class="term">Client-Side Encryption</span></dt>
<dd><p> If the system administrator cannot be trusted, it is necessary
for the client to encrypt the data; this way, unencrypted data
never appears on the database server. Data is encrypted on the
client before being sent to the server, and database results have
to be decrypted on the client before being used.
</p></dd>
</dl></div>
</div></body>
</html>
|
