----- Original Message ----- > From: "Patrick Simcoe" <patricksimcoe49@xxxxxxxxx> > To: pgsql-general@xxxxxxxxxxxxxx > Sent: Wednesday, 2 July, 2014 1:42:04 AM > Subject: [GENERAL] Two-way encryption > > I have a question regarding two-way encryption data for specific columns. > > Does anyone have a technique or recommendation for two-way encryption which > somehow obfuscates the decrypt key so that it isn't easily retrievable from > the database or the application source code? We've already considered (a) > letting users hold the decrypt key and (b) obfuscating the decrypt key with > the user's own (one-way encrypted) password, but neither of these > approaches are viable for us. If you want the application to be able to decrypt the data automatically, then it has to hold the decryption key somewhere. There's really no way around that. (Except getting humans to enter the key, but they get bored of typing passwords pretty quickly, and then post-it notes and keyboard macros end up storing your secret keys instead of relatively-secure server filesystems)
