All depends on how secure you want to be in the event of a hostile network penetration. If the answer is “very”, consider using a key management solution — either software (I like Hashicorp Vault) or dedicated HSM hardware from someone like Gemalto or Thales. Having the key on a separate server doesn’t help if the application server is compromised. Cheers, Evan Sent from my iPhone > On Oct 24, 2018, at 05:00, Stéphane KANSCHINE <stephane@xxxxxxxxx> wrote: > > > Hi, > > Le mer. 24 oct., vers 08:27, Anjul Tyagi exprimait : >> >> We are implementing the pgcrypto in our database to encrypt and decrypt the >> Column data. for testing purpose we have generate the PGP public / private >> key and use those when we read and write data. >> >> How can we secure the key, if we keep the key outside how can we use that >> into query. > > We keep the private key on the app server. It communicates with postgres > through SSL and postgres logs aren't too verbose in order to avoid key > exposition. > > If there's a better way, i'm curious of it. > > Regards, > -- > Stéphane KANSCHINE - https://www.hexack.fr./ - https://www.nuajik.io./ > @ stephane@xxxxxxxxx > +33 6 64 31 72 52 >
