Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Docker PostgreSQL data encryption at rest

According to the manual, PostgreSQL supports 'Data Partition Encryption' in order to store the data encrypted at rest on the system.

For my next application I want to containerize PostgreSQL using Docker. Unfortunately I have not found any option, to encrypt the database files within this Docker container to protect the data. I thought about something like entering a password when the container is starting to decrypt all the needed files at runtime.

Has anyone experience with this?

like image 518
Mojo Avatar asked Mar 24 '20 21:03

Mojo


People also ask

Does Postgres support encryption at rest?

There is ongoing work in the PostgreSQL community to natively support transparent data encryption (TDE), which lets you control encryption at rest from Postgres.

Does Docker Postgres persist data?

However, keep in mind that data is not persistent and gets removed as soon as the container is turned off when you're using PostgreSQL inside a Docker container. In order to address this issue, you can mount a local directory as a volume and store PostgreSQL data from the container into the local volume.

Does PostgreSQL have TDE?

Transparent Data Encryption (TDE) is a CYBERTEC encryption patch for PostgreSQL. It is currently the only implementation that supports transparent and cryptographically safe data (cluster) level encryption, independent of operating system or file system encryption.

What encryption does PostgreSQL use?

Transparent Data Encryption, or TDE, is used to secure the data at rest. In other words, it encrypts the data in a database to prevent an attacker from reading the data if they break the first line of defense.


1 Answers

"Data Partition Encryption" means that you are off-loading the encryption to the OS, and would provide the key at the time of mounting the disk partition that the data directory is read from.

In the context of docker, you would generally achieve this by encrypting the partition that you either:

  • bind mount the data directory from
  • store docker volumes in

Eg: by default docker volumes are stored in /var/lib/docker/volume on Linux - therefore if that directory is on a partition that is encrypted using LUKS or similar then you have already implemented your goal.

In general I'd recommend always using full disk encryption for local machines, and taking advantage of similar features on cloud platforms like AWS.

like image 200
Michael Avatar answered Oct 14 '22 17:10

Michael