Doug McNaught wrote: > David Blewett <david@xxxxxxxxxxxxxxxx> writes: > > > In reading the documentation of Peter Gutmann's Cryptlib, I came > > across this section: > > "The use of crypto devices can also complicate key management, since > > keys generated or loaded into the device usually can't be extracted > > again afterwards. This is a security feature that makes external > > access to the key impossible, and works in the same way as cryptlib's > > own storing of keys inside it's security perimeter. This means that if > > you have a crypto device that supports (say) DES and RSA encryption, > > then to export an encrypted DES key from a context stored in the > > device, you need to use an RSA context also stored inside the device, > > since a context located outside the device won't have access to the > > DES context's key." > > > > I'm not familiar with how his library protects keys, but this suggests > > that it would be possible to use it as a basis for transparent > > encryption. > > He's talking about hardware crypto devices, which most systems don't > have (though they're certainly available). If you don't have one of > those, then the key has to be stored in system memory. FYI, we do have a general encryption documentation section: http://www.postgresql.org/docs/8.1/static/encryption-options.html -- Bruce Momjian | http://candle.pha.pa.us pgman@xxxxxxxxxxxxxxxx | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
