8/13/2019 Encrypted PostgreSQL
1/37
Consulting Development IT Operations Training Support Products
Encrypted PostgreSQL
PGCon 2009Ottawa, Canada
Magnus HaganderRedpill Linpro AB
8/13/2019 Encrypted PostgreSQL
2/37
Consulting Development IT Operations Training Support Products
Decide wat !our treat is
Everything comes at a cost Per"or#ance or #aintaina$ilit!
Encryption for the sake ofencryption?
Compliance/regulations?
8/13/2019 Encrypted PostgreSQL
3/37
Consulting Development IT Operations Training Support Products
%ncr!ption at di""erent la!ers
Application
Database
Storage Full harddrive/filesystem encryption
Pgcrypto encryption functions
Application data encryption
8/13/2019 Encrypted PostgreSQL
4/37 Consulting Development IT Operations Training Support Products
%ncr!ption at di""erent la!ers
Application
Database
Storage Full harddrive/filesystem encryption
Pgcrypto encryption functions
Application data encryption
SSL or VPN
8/13/2019 Encrypted PostgreSQL
5/37 Consulting Development IT Operations Training Support Products
Application data encr!ption
Independent of the database
Implemented in the application
layer &o, we won't tal( a$out te #!riad o"
options ere
8/13/2019 Encrypted PostgreSQL
6/37 Consulting Development IT Operations Training Support Products
Harddri)e*"iles!ste# encr!ption
Independent of the database
Filesystem och block device level
Needs to keep fsync behaviour!
Keeps all database functionality
here to store the key?
8/13/2019 Encrypted PostgreSQL
7/37
Consulting Development IT Operations Training Support Products
Pgcr!pto
Encryption as database functions
Client independent
on"t forget to encrypt theconnection!
8/13/2019 Encrypted PostgreSQL
8/37
Consulting Development IT Operations Training Support Products
Pgcr!pto + callenges
Encryption is easy Relati)el! spea(ing
As long as !ou don't in)ent !our own Key management is not
8/13/2019 Encrypted PostgreSQL
9/37
Consulting Development IT Operations Training Support Products
Pgcr!pto - o)er)iew
#a$ encryption
%&% compatible encryption
'ashing
8/13/2019 Encrypted PostgreSQL
10/37
Consulting Development IT Operations Training Support Products
pgcr!pto. raw encr!ptionSELECT encrypt(data, key, type)
SELECT decrypt(data, key, type)
SELECT encrypt_iv(data, key, iv, type)
(ype) bf*cbc+ aes*cbc+ ,,, -ecb supported+ but,,.
perates on bytea+ returns bytea
gen0random0bytes-. can be used to create key
8/13/2019 Encrypted PostgreSQL
11/37
Consulting Development IT Operations Training Support Products
pgcr!pto. PGP encr!ptionpgp_sym_encrypt(data, password[, opt])
pgp_sym_decrypt(data, password[, opt])
perates on te1t in plainte1t+ bytea in cipherte1t
ar#or/, dear#or/
(akes gpg style options like ciper-algo=aes256
8/13/2019 Encrypted PostgreSQL
12/37
Consulting Development IT Operations Training Support Products
pgcr!pto. PGP encr!ptionpgp_sym_encrypt(data, password[, opt])
pgp_sym_decrypt(data, password[, opt])
%ublic key encryption also supported+ but no keygeneration
ill detect $rong key/corrupt data
8/13/2019 Encrypted PostgreSQL
13/37
Consulting Development IT Operations Training Support Products
pgcr!pto. Hasing SELECT digest(txt, type)
Returns $!tea, use encode/ to get e1
Md, sa3, sa4#ore5
SELECT encode( digest('ocats!', 's"a#$%'), '&ase%')
8/13/2019 Encrypted PostgreSQL
14/37
Consulting Development IT Operations Training Support Products
pgcr!pto. Hasing SELECT crypt('secret', gen_sat('&'))
6tores salt as part o" as
Autodetects algorit#
#d, $", etc
SELECT "as"crypt('secret', "as")
8/13/2019 Encrypted PostgreSQL
15/37
Consulting Development IT Operations Training Support Products
7e! #anage#ent
here to store the key
'o$ to protect the key
'o$ to access the key
'o$ to do key recovery
8/13/2019 Encrypted PostgreSQL
16/37
Consulting Development IT Operations Training Support Products
6earcing encr!pted data
2orry+ can"t really be done by inde1
3atch encrypted data for ra$
encrypted witoutpadding But tis decreases securit!
And does 8is eual: #atcing onl!
Inde1 on e1pression But w! did !ou encr!pt in te "irst place;
8/13/2019 Encrypted PostgreSQL
17/37
8/13/2019 Encrypted PostgreSQL
18/37
Consulting Development IT Operations Training Support Products
66L secured connections
Encryption
3an*in*the*middle protection
4uthentication
8/13/2019 Encrypted PostgreSQL
19/37
Consulting Development IT Operations Training Support Products
66L secured connections
Enabled on the server -ssl5yes.
ptionally re6uired through
pg0hba ptionally re6uired in libp6
8/13/2019 Encrypted PostgreSQL
20/37
Consulting Development IT Operations Training Support Products
66L secured connections
Need to protect data in !otdirections
For e1ample username/pass$ord 3ust "nowbefore connection is
started
8/13/2019 Encrypted PostgreSQL
21/37
Consulting Development IT Operations Training Support Products
66L encr!ption
227 alwa#sre6uires a servercertificate
Can be self*signed oes not need to be kno$n by
client
8/13/2019 Encrypted PostgreSQL
22/37
Consulting Development IT Operations Training Support Products
Certi"icate cains
Issuer
Issuer
Issuer oot certificate
Intermediate certificate
Server certificate
8/13/2019 Encrypted PostgreSQL
23/37
Consulting Development IT Operations Training Support Products
Certi"icate cains
Issuer
Issuer
Issuer oot certificate
Intermediate certificate
Server certificate
Self!signedcertificate
8/13/2019 Encrypted PostgreSQL
24/37
Consulting Development IT Operations Training Support Products
66L secured connections
"lient Server
8/13/2019 Encrypted PostgreSQL
25/37
Consulting Development IT Operations Training Support Products
=reats andled $! 66L.
%a)esdropping
"lient Server
S#L#"$ % F&' secret(stuff
8/13/2019 Encrypted PostgreSQL
26/37
Consulting Development IT Operations Training Support Products
%a)esdropping
%revented by encrypting all data
Key negotiation is automatic
2erver certificate used but notverified
8/13/2019 Encrypted PostgreSQL
27/37
Consulting Development IT Operations Training Support Products
=reats andled $! 66L.
Man in te #iddle
"lient Server
Fa)e server
Valid SSL session Valid SSL session
8/13/2019 Encrypted PostgreSQL
28/37
Consulting Development IT Operations Training Support Products
66L ser)er )eri"ication
n top of encryption
8alidate that the server is $ho it
claims to be C4 issues certificate+ can be self*
signed C4 certificate kno$n by client
8/13/2019 Encrypted PostgreSQL
29/37
Consulting Development IT Operations Training Support Products
=reats andled $! 66L.
Man in te #iddle
"lient Server
Fa)e server
Valid SSL session
8/13/2019 Encrypted PostgreSQL
30/37
Consulting Development IT Operations Training Support Products
66L client autentication
n top of encryption
Normally on top of server
verificateion+ but not necessary C4 issued certificate on client
3atch C$on certificate to user id %rotect client certificate!
8/13/2019 Encrypted PostgreSQL
31/37
Consulting Development IT Operations Training Support Products
66L in li$p
Controlled by sslmodeparameter
r environmentP%SS&'OD(
For security+ must be set on client Re#e#$er, unknown = unsecure
8/13/2019 Encrypted PostgreSQL
32/37
Consulting Development IT Operations Training Support Products
6u##ar! o" li$p 66L #odes
Protect against Compatible with server set to... Performance
ClientMode
Eavesdrop MITM SSL required SSL disabled overhead
disable no no FAIL *or)s no
allo* no no *or)s *or)s If necessary
prefer no no *or)s *or)s If possible
re+uire yes no *or)s FAIL yes
verify!ca yes yes *or)s FAIL yes
verify!full yes yes *or)s FAIL yes
8/13/2019 Encrypted PostgreSQL
33/37
Consulting Development IT Operations Training Support Products
6u##ar! o" li$p 66L #odes
Protect against Compatible with server set to... Performance
ClientMode
Eavesdrop MITM SSL required SSL disabled overhead
disable no no FAIL *or)s no
allo* no no *or)s *or)s If necessary
prefer no no *or)s *or)s If possible
re+uire yes no *or)s FAIL yes
verify!ca yes yes *or)s FAIL yes
verify!full yes yes *or)s FAIL yes
8/13/2019 Encrypted PostgreSQL
34/37
Consulting Development IT Operations Training Support Products
6u##ar! o" li$p 66L #odes
Protect against Compatible with server set to... Performance
ClientMode
Eavesdrop MITM SSL required SSL disabled overhead
disable no no FAIL *or)s no
allo* no no *or)s *or)s If necessary
prefer no no *or)s *or)s If possible
re+uire yes no *or)s FAIL yes
verify!ca yes yes *or)s FAIL yes
verify!full yes yes *or)s FAIL yes
8/13/2019 Encrypted PostgreSQL
35/37
Consulting Development IT Operations Training Support Products
6u##ar! o" li$p 66L #odes
Protect against Compatible with server set to... Performance
ClientMode
Eavesdrop MITM SSL required SSL disabled overhead
disable no no FAIL *or)s no
allo* no no *or)s *or)s If necessary
prefer no no *or)s *or)s If possible
re+uire yes no *or)s FAIL yes
verify!ca yes yes *or)s FAIL yes
verify!full yes yes *or)s FAIL yes
8/13/2019 Encrypted PostgreSQL
36/37
Consulting Development IT Operations Training Support Products
6u##ar!
nly encrypt $hat you really need
nly encrypted wereyou really
need Key management is ard
3any use*cases are very narro$
8/13/2019 Encrypted PostgreSQL
37/37
Consulting Development IT Operations Training Support Products
Encrypted PostgreSQL
Questions?
[email protected]://blog.hagander.net