PostgreSQL instance encryption: More database security

Full PostgreSQL instance encryption

Hans-Jürgen Schönigwww.postgresql-support.de


First of all


Did . . .

Did everybody have a good time in Tallinn?


Introduction


Cybertec Schönig & Schönig GmbH

I 24x7 support for PostgreSQLI PostgreSQL trainingI PostgreSQL consulting


Get more out of PostgreSQL


PostgreSQL features

I PostgreSQL provides many featuresI Many “Enterprise” features are available

I e.g. replication, analytics, etc.


Missing stuff

I Nothing is feature completeI Once in a while everybody finds missing parts


Sponsoring vs. licensing

I Remember, PostgreSQL is Open SourceI Sponsoring a feature is often cheaper than buying commercial

licensesI No need to chain yourself to a commercial vendor


Database encryption: An example


Specific customer requirements

I Customer could only provide encryption based on expensivecommercial software

I Encryption is needed to fulfill legal and internal requirements


Making it work

I Implement highly optimized code to handle encryption on theblock level in PostgreSQL

I Totally transparent to the end userI Keys can be stored in a key store of your choice


What it does

I We encrypt:I TablesI IndexesI Temporary filesI Full WAL encryptionI Commit Log (clog)I More stuff: Subtransaction directories, MultiXact . . .

I What we do not encrypt (yet):I pg_stat_statements, logical replication buffers, control data (on

purpose)


Encryption technology

I Extensible mechanismI Included in pgcrypto: AES-XTS 128I Future versions will use Intel hardware support

I Current prototype does 4 GB / sec per core !


Good news

I We all got encryption nowI Not yet in core but available to end users already with full

professional supportI Patch on hackers

I Anybody willing to feedback?


Commercial success

I Writing code + integrating was cheaper than just integratingcommercial stuff

I Makes sense for everybodyI CustomerI Community


What we learn from this

I Have the guts and the conviction to do what is rightI Think for yourself

I Find solutions to YOUR problemsI Do not change your requirements just because some commercial

vendor forces you to do so

I Benefit from Open SourceI Invest wisely


Where can we get the code?

I Our website has the code:I http://www.cybertec.at/en/products/postgresql-instance-

level-encryption/I It is under PostgreSQL license


Finally


Any questions?

I Feel free to ask


Contact us

Cybertec Schönig & Schönig GmbH

Email: [email protected]: www.postgresql-support.deFollow us on Twitter: @PostgresSupport


PostgreSQL instance encryption: More database security

Data & Analytics