-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Apr 24, 2009 at 03:45:16PM -0400, Bill Moran wrote: > In response to to...@tuxteam.de:
[...] > Someone hijacking your live server does not automatically give anyone > the key, unless you implement this wrong (which is, of course, possible). > > Each _user_ gets their own key, encrypted with their password. Thus, > even if an attack gets an offline dump of the database, it does them > no good unless they already have the user's password. If they have > that, they they've been given license to bypass your security > restrictions _without_ doing anything funky. Sorry, I was unclear: what I meant was the "live" server in the sense that it's running (so either by physical access or via a trojan). In this case the keys have to be around somewhere (say in RAM) -- as opposed to the "quiescent" server (there I agree: keys are locked, or better: not even there). > But it's still protected. If an attacker manages to get an offline > copy of the database (let's imagine a horrific scenario where they > steal an unencrypted backup tape, or they find a huge SQL injection > hole that allows them access to the entire database ...) they still > only have access to the data for users that they know the password > for. Even if they have a certain user's password, it only unlocks a > single key, which only unlocks that user's data. Not if the users have already provided the password and unlocked their keys (i.e. they are working with the database). > Sure, there are challenges, but there are methods to work through all > of those challenges. I seem to be less optimistic than you are: I think as soon as the server "has" all the necessary key material to decrypt the data you are't more secure than a "traditional" system, with some access control. Regards - -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJ8pcZBcgs9XrR2kYRAvH4AJ9Lx9Li3y1cpqIyhjorrkKvLfQ/4gCfTzbf vrXd6oq37UmrARqVrN8FrVY= =kENy -----END PGP SIGNATURE----- -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers