Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PostgreSQL Database encryption at rest

Tags:

postgresql

encryption

How can I encrypt the PostgreSQL database at rest.

I could not find a good documentation on how can I achieve this ?

like image 967
K.Pil Avatar asked Aug 23 '17 20:08

K.Pil

3 Answers

I also haven't found documentation about EncryptionAtRest for Postgres. People arriving here to learn more about EncrAtRest should check out AWS RDS or MongoDB Enterprise which offer this feature.

My reply is a warning for those following the "approved" answer! Saying "just use filesystem encryption" is ignoring the purpose of encrypting a database at rest. When you encrypt a filesystem this protects you from someone copying the drive backup or stealing the physical drive. Nothing else.

An attacker over the network has gained access to your mounted filesystem, and therefore it has already been decrypted to make it accessible to the OS, applications, etc.

like image 199
Falieson Avatar answered Nov 18 '22 11:11

Falieson

The threat model is very important in this case as encrypting a database efficiently is not an easy task, this can be done at 3 different layers (client-application, storage-device, data-base-itself) note that in all cases if the client application is compromised the encryption is useless, self data base encryption solution cover the least threat models as listed bellow.

  • Malicious user steals storage devices and reads database files directly.
  • Malicious backup operator takes backup.
  • Protecting data at rest (persistent data)

Database encryption solution 1:

System disk encryption (cryptsetup/luks)... no modification are needed on the Postgres setup in this case. This also makes clog and textual log encrypted (at rest). If you are using a google cloud VM this guide may be useful.

Database encryption solution 2:

PostgreSQL TDE (transparent data encryption) this postgres feature implement transparent data encryption at rest for the whole database. an example is demonstrated here.

Database encryption solution 3:

Pgcrypto can be used to encrypt part of the database instead of a solution that would encrypt everything. an example is demonstrated here.

like image 37
intika Avatar answered Nov 18 '22 11:11

intika

If you want to encrypt the entire database, just use filesystem encryption. You will want to encrypt transaction logs and database logs too presumably, so just encrypt the filesystems these reside on.

If you just want to encrypt a few columns then the pgcrypto module is the standard way to do this.

like image 40
Richard Huxton Avatar answered Nov 18 '22 12:11

Richard Huxton
Sign in to Comment

Related questions

PostgreSQL update doesn't work
connect_query setting in PGBouncer + JDBC
How to load data from S3 to PostgreSQL RDS
Postgres: toast table + space + vacuum
Connect Excel to PostgreSQL via ODBC
Docker networking - Keycloak can not connect to postgresql running in separate docker instance
ERROR: operator does not exist: jsonb[] -> integer
Trim Intermediate spaces in a string in Postgres
How can I do a accent insensitive search in Postgres 8.3.x with a DB in utf-8?
Looking for free GUI tool to work with PostgreSQL [closed]
Why is postgresql update query so slow sometimes, even with index
Column doesn't exist?
What is the cost of using NULL in database columns?
What is the alternative to cursors to retrieve large amounts of data from a database?
Querying a JSON array of objects in Postgres
Foreign keys in postgresql can be violated by trigger
PostgreSQL: how to install plpythonu extension
Force SSL for Django Postgres connection

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!