Re: database encryption

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Bruce Momjian a écrit :

Michael Fuhr wrote:

On Thu, Feb 08, 2007 at 09:13:48AM +0100, Olivier Boissard wrote:
I was thinking about a system in which only the php programs will be able to manage stored informations. In case of theft or unexpected access to servers nobody could be able to retrieve the stored data without the authorized key. 
What about theft or compromise of the server running the PHP code?
In general it's a good idea to encrypt and decrypt as close to where
the cleartext is needed to limit exposure, but you should also
consider the vulnerability of the system that holds the key.  For
some applications it might make sense to use public-key encryption
with the exposed (e.g., Internet-facing) server having only the
public (encryption) key and a more protected backend server having
the corresponding private (decryption) key.

Without knowing the requirements and the threat model it's impossible
to suggest a suitable solution.  Can you be more specific about what
you're trying to do?


We do have an encryption section in our documentation:

	http://www.postgresql.org/docs/8.2/static/encryption-options.html



Thanks for responses.
I expose the context of my question :

I need to install a server for a specific web application written in PHP.
This one works by making queries to a postgresql database. The database contains confidential data. For several reasons the server will be installed inside the Local network of our client. I will not be able to supervise and control it. 
As it's a fussy situation I am thinking about encryption.
I was thinking about PHP encryption solution (Zend or Ioncube) for the web application protection. 
But sensitive data must be protected too.
Pgcrypto seemed to be the encryption solution but I am not sure it's a good idea because all keys will be located on server ( if I have well understood) and the documention explain that the data will appear on "clear text" for a short period. 

Olivier


begin:vcard
fn:Olivier Boissard
n:Boissard;Olivier
org:Cerene Services
adr:;;3 rue Archimede;La Chapelle Saint Luc;;10000;France
email;internet:olivier.boissard@xxxxxxxxx
tel;work:03.25.74.11.78
tel;fax:03.25.78.39.67
version:2.1
end:vcard
[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux