On Thu, May 20, 2010 at 09:33:23PM -0500, Peter Hunsberger wrote: > On Thu, May 20, 2010 at 8:03 PM, Richard Walker <rich...@softimp.com.au> > wrote: > > If the hacker gets root access so they can read > > the raw database files, they most likely also > > have access to the means to decrypt any > > encrypted data. This is particularly so if > > the database updates are being done by stored > > procedures. > > Only if they also get at the keys.
It's very difficult (with a conventional OS) to remove the *entirety* of the server hardware and software from the TCB. Hence you should assume that if PG ever sees a key it's also possible for an attacker to see the same key. The options are pretty much do all crypto away from the database server (either client side, or on another server that you can trust) or you have to trust (also in the technical sense) the database server itself and things become greatly simplified. > > If encryption/decryption happens > > on a separate (not-also-compromised) client, > > then OK. Do you know of a way to deal with > > this if the application is on the same computer > > as the database? > > Can you use an external key store? How does this help? if the database has been compromised, what would stop the attacker from inserting some code that records the responses from this "external key store"? -- Sam http://samason.me.uk/ -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
