|
1 | 1 | <!-- |
2 | | -$PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.315 2005/04/23 03:27:40 momjian Exp $ |
| 2 | +$PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.316 2005/05/08 03:29:06 momjian Exp $ |
3 | 3 | --> |
4 | 4 |
|
5 | 5 | <chapter Id="runtime"> |
@@ -5109,6 +5109,132 @@ psql -h localhost -p 3333 template1 |
5109 | 5109 |
|
5110 | 5110 | </sect1> |
5111 | 5111 |
|
| 5112 | + <sect1 id="encryption-approaches"> |
| 5113 | + <title>Use of Encryption in <productname>PostgreSQL</productname></title> |
| 5114 | + <indexterm zone="encryption-approaches"> |
| 5115 | + <primary>encryption</primary> |
| 5116 | + </indexterm> |
| 5117 | + |
| 5118 | + <para> There is increasing interest in having verifiable mechanisms |
| 5119 | + to maintain the privacy of data in databases. In the United |
| 5120 | + States, legislation called <acronym>HIPAA</acronym> (Health |
| 5121 | + Insurance Portability and Accountability Act) requires that |
| 5122 | + personal health information is handled securely. The European |
| 5123 | + Union has similarly been developing directives as to how personal |
| 5124 | + data is to be managed there.</para> |
| 5125 | + |
| 5126 | + <para> Questions frequently come up as to what functionality |
| 5127 | + <productname>PostgreSQL</productname> offers with regard to |
| 5128 | + supporting the use of data encryption. It uses and provides use of |
| 5129 | + encryption tools in several ways that may be useful to provide |
| 5130 | + protection against certain classes of attacks.</para> |
| 5131 | + |
| 5132 | + <itemizedlist> |
| 5133 | + |
| 5134 | + <listitem><para> Passwords stored in MD5 form </para> |
| 5135 | + |
| 5136 | + <para> Passwords are normally not stored in |
| 5137 | + <quote>plaintext</quote> form in the database; they are hashed |
| 5138 | + using the built-in MD5 function, and <emphasis>that</emphasis> is |
| 5139 | + what is stored in the database. </para> |
| 5140 | + |
| 5141 | +<programlisting> |
| 5142 | +sample=# alter user foo password 'some dumb value'; |
| 5143 | +ALTER USER |
| 5144 | +sample=# select usename, passwd from pg_shadow where usename = 'foo'; |
| 5145 | + usename | passwd |
| 5146 | +---------+------------------------------------- |
| 5147 | + foo | md5740daa4aaa084d85eb97648084a43bbb |
| 5148 | +(1 row) |
| 5149 | +</programlisting> |
| 5150 | + |
| 5151 | +</listitem> |
| 5152 | + |
| 5153 | + <listitem><para> Connections protected using SSL</para> |
| 5154 | + |
| 5155 | + <para> There are various options to control how mandatory it is |
| 5156 | + to use SSL to protect data connections. At the most |
| 5157 | + <quote>paranoid</quote> end of the spectrum, you can configure |
| 5158 | + <filename>pg_hba.conf</filename> to have the database reject |
| 5159 | + connections that do <emphasis>not</emphasis> come in via |
| 5160 | + SSL.</para> |
| 5161 | + |
| 5162 | + <para> The use of SSL, alone, is useful for protecting |
| 5163 | + communications against interception. It may not be necessary |
| 5164 | + for connections that take place across a carefully controlled |
| 5165 | + network; if connections are coming in from less controlled |
| 5166 | + sources, its use is highly recommended.</para></listitem> |
| 5167 | + |
| 5168 | + <listitem><para> Connections authenticated using SSL</para> |
| 5169 | + |
| 5170 | + <para> It is possible for both the client and server to provide |
| 5171 | + to one another SSL keys or certificates. It takes some extra |
| 5172 | + configuration on each side where these are used, but this likely |
| 5173 | + provides stronger verification of identity than the mere use of a |
| 5174 | + text password. </para></listitem> |
| 5175 | + |
| 5176 | + <listitem><para> Using OS level encryption for entire database |
| 5177 | + partitions</para> |
| 5178 | + |
| 5179 | + <para> On Linux, encryption can be layered on top of a filesystem |
| 5180 | + mount using what is called a <quote>loopback device;</quote> this |
| 5181 | + permits having a whole filesystem partition be encrypted on disk, |
| 5182 | + decrypted by the operating system. On FreeBSD, the equivalent |
| 5183 | + facility is called GEOM Based Disk Encryption, or |
| 5184 | + <acronym>gbde</acronym>.</para> |
| 5185 | + |
| 5186 | + <para> This mechanism may be expected to be useful for protecting |
| 5187 | + against the threat that someone might pull disk drives out and |
| 5188 | + try to install them somewhere else to draw data off of them. |
| 5189 | + </para> |
| 5190 | + |
| 5191 | + <para> In contrast, this mechanism does nothing to protect |
| 5192 | + against attacks when the filesystem is mounted, because when |
| 5193 | + mounted, the OS provides a <quote>view</quote> of the filesystem |
| 5194 | + accessible in plain text form. Furthermore, you need some way |
| 5195 | + for the encryption key to be passed to the operating system in |
| 5196 | + order to mount the filesystems, which encourages having the key |
| 5197 | + accessible somewhere on the host that mounts the disk. |
| 5198 | + </para></listitem> |
| 5199 | + |
| 5200 | + <listitem><para> Using the contrib function library |
| 5201 | + <function>pgcrypto</function> so the database engine manages |
| 5202 | + encryption of certain fields.</para> |
| 5203 | + |
| 5204 | + <para>If much of the data can be in plain text form, and only a |
| 5205 | + subset is particularly sensitive, this mechanism supports |
| 5206 | + treating them differently. The encrypted data is only ever |
| 5207 | + presented in <quote>unencrypted</quote> form while it is being |
| 5208 | + communicated between client and server, and the use of an SSL |
| 5209 | + layer of <quote>superencryption</quote> alleviates that |
| 5210 | + problem.</para> |
| 5211 | + |
| 5212 | + <para> Unfortunately, in this approach, the encryption keys need |
| 5213 | + to be present on the server, even if only for a moment, which |
| 5214 | + presents the possibility of them being intercepted by someone |
| 5215 | + with access to the database server. As a result, this mechanism |
| 5216 | + is not suitable for storage of data that is too sensitive for |
| 5217 | + system administrators to have access to it. </para></listitem> |
| 5218 | + |
| 5219 | + <listitem><para> Using cryptographic tools on the client </para> |
| 5220 | + |
| 5221 | + <para> If it is not safe to trust the system administrators at |
| 5222 | + least somewhat, you may find it necessary to encrypt data at the |
| 5223 | + client level such that unencrypted data never appears on the |
| 5224 | + database server. This sort of <quote>paranoia</quote> is quite |
| 5225 | + appropriate for applications where it would be damaging for data |
| 5226 | + to be seen by inappropriate readers that might generally be |
| 5227 | + considered trustworthy, as can be the case with |
| 5228 | + medical and legal records.</para> |
| 5229 | + |
| 5230 | + <para> Peter Wayner's book, <citation>Translucent |
| 5231 | + Databases</citation>, discusses how to do this in considerable |
| 5232 | + detail.</para></listitem> |
| 5233 | + |
| 5234 | + </itemizedlist> |
| 5235 | + |
| 5236 | + </sect1> |
| 5237 | + |
5112 | 5238 | </chapter> |
5113 | 5239 |
|
5114 | 5240 | <!-- Keep this comment at the end of the file |
|