encrypted postgresql - pgcon · consulting development it operations training support products...
TRANSCRIPT
![Page 1: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/1.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Encrypted PostgreSQL
PGCon 2009Ottawa, Canada
Magnus HaganderRedpill Linpro AB
![Page 2: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/2.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Decide what your threat is● Everything comes at a cost
– Performance or maintainability
● Encryption for the sake of encryption?
● Compliance/regulations?
![Page 3: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/3.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Encryption at different layers
Application
Database
Storage Full harddrive/filesystem encryption
Pgcrypto encryption functions
Application data encryption
![Page 4: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/4.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Encryption at different layers
Application
Database
Storage Full harddrive/filesystem encryption
Pgcrypto encryption functions
Application data encryption
SSL or VPN
![Page 5: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/5.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Application data encryption● Independent of the database● Implemented in the application
layer– No, we won't talk about the myriad of
options here
![Page 6: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/6.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Harddrive/filesystem encryption● Independent of the database● Filesystem och block device level● Needs to keep fsync behaviour!● Keeps all database functionality● Where to store the key?
![Page 7: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/7.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Pgcrypto● Encryption as database functions● Client independent● Don't forget to encrypt the
connection!
![Page 8: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/8.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Pgcrypto - challenges● Encryption is easy
– Relatively speaking– As long as you don't invent your own!
● Key management is not
![Page 9: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/9.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Pgcrypto – overview● Raw encryption● PGP compatible encryption● Hashing
![Page 10: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/10.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
pgcrypto: raw encryptionSELECT encrypt(data, key, type)
SELECT decrypt(data, key, type)
SELECT encrypt_iv(data, key, iv, type)
● Type: bf-cbc, aes-cbc, ... (ecb supported, but..)
● Operates on bytea, returns bytea
● gen_random_bytes() can be used to create key
![Page 11: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/11.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
pgcrypto: PGP encryptionpgp_sym_encrypt(data, password[, opt])
pgp_sym_decrypt(data, password[, opt])
● Operates on text in plaintext, bytea in ciphertext
– armor(), dearmor()● Takes gpg style options like ciper-algo=aes256
![Page 12: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/12.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
pgcrypto: PGP encryptionpgp_sym_encrypt(data, password[, opt])
pgp_sym_decrypt(data, password[, opt])
● Public key encryption also supported, but no key generation
● Will detect wrong key/corrupt data
![Page 13: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/13.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
pgcrypto: Hashing● SELECT digest(txt, type)
– Returns bytea, use encode() to get hex– Md5, sha1, sha<more>
● SELECT encode( digest('lolcats!', 'sha256'), 'base64')
![Page 14: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/14.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
pgcrypto: Hashing● SELECT crypt('secret', gen_salt('bf'))
– Stores salt as part of hash– Autodetects algorithm– md5, bf, etc
● SELECT hash=crypt('secret', hash)
![Page 15: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/15.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Key management● Where to store the key● How to protect the key● How to access the key● How to do key recovery
![Page 16: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/16.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Searching encrypted data● Sorry, can't really be done by index● Match encrypted data for raw
encrypted without padding– But this decreases security– And does «is equal» matching only
● Index on expression– But why did you encrypt in the first place?
![Page 17: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/17.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
SSL
![Page 18: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/18.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
SSL secured connections● Encryption● Man-in-the-middle protection● Authentication
![Page 19: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/19.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
SSL secured connections● Enabled on the server (ssl=yes)● Optionally required through
pg_hba● Optionally required in libpq
![Page 20: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/20.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
SSL secured connections● Need to protect data in both
directions● For example username/password● Must know before connection is
started– Unknown equals unprotected
![Page 21: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/21.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
SSL encryption● SSL always requires a server
certificate● Can be self-signed● Does not need to be known by
client
![Page 22: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/22.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Certificate chains
Issuer
Issuer
Issuer Root certificate
Intermediate certificate
Server certificate
![Page 23: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/23.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Certificate chains
Issuer
Issuer
Issuer Root certificate
Intermediate certificate
Server certificate
Self-signedcertificate
![Page 24: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/24.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
SSL secured connections
Client Server
![Page 25: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/25.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Threats handled by SSL: Eavesdropping
Client Server
SELECT * FROM secret_stuff
![Page 26: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/26.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Eavesdropping● Prevented by encrypting all data● Key negotiation is automatic● Server certificate used but not
verified
![Page 27: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/27.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Threats handled by SSL:Man in the middle
Client Server
Fake server
Valid SSL session Valid SSL session
![Page 28: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/28.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
SSL server verification● On top of encryption● Validate that the server is who it
claims to be● CA issues certificate, can be self-
signed● CA certificate known by client
![Page 29: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/29.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Threats handled by SSL:Man in the middle
Client Server
Fake server
Valid SSL session
![Page 30: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/30.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
SSL client authentication● On top of encryption● Normally on top of server
verificateion, but not necessary● CA issued certificate on client● Match CN on certificate to user id● Protect client certificate!
![Page 31: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/31.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
SSL in libpq● Controlled by sslmode parameter● Or environment PGSSLMODE● For security, must be set on client
– Remember, unknown = unsecure
![Page 32: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/32.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Summary of libpq SSL modes
Protect against Compatible with server set to... Performance
Client Mode
Eavesdrop MITM SSL required SSL disabled overhead
disable no no FAIL works no
allow no no works works If necessary
prefer no no works works If possible
require yes no works FAIL yes
verify-ca yes yes works FAIL yes
verify-full yes yes works FAIL yes
![Page 33: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/33.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Summary of libpq SSL modes
Protect against Compatible with server set to... Performance
Client Mode
Eavesdrop MITM SSL required SSL disabled overhead
disable no no FAIL works no
allow no no works works If necessary
prefer no no works works If possible
require yes no works FAIL yes
verify-ca yes yes works FAIL yes
verify-full yes yes works FAIL yes
![Page 34: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/34.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Summary of libpq SSL modes
Protect against Compatible with server set to... Performance
Client Mode
Eavesdrop MITM SSL required SSL disabled overhead
disable no no FAIL works no
allow no no works works If necessary
prefer no no works works If possible
require yes no works FAIL yes
verify-ca yes yes works FAIL yes
verify-full yes yes works FAIL yes
![Page 35: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/35.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Summary of libpq SSL modes
Protect against Compatible with server set to... Performance
Client Mode
Eavesdrop MITM SSL required SSL disabled overhead
disable no no FAIL works no
allow no no works works If necessary
prefer no no works works If possible
require yes no works FAIL yes
verify-ca yes yes works FAIL yes
verify-full yes yes works FAIL yes
![Page 36: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/36.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Summary● Only encrypt what you really need● Only encrypted where you really
need● Key management is hard● Many use-cases are very narrow
![Page 37: Encrypted PostgreSQL - PGCon · Consulting Development IT Operations Training Support Products Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander](https://reader031.vdocument.in/reader031/viewer/2022022612/5b9c603709d3f2f6368c822e/html5/thumbnails/37.jpg)
Consulting ● Development ● IT Operations ● Training ● Support ● Products
Encrypted PostgreSQL
Questions?
[email protected]://blog.hagander.net