X-Original-To: pgsql-docs-postgresql.org@localhost.postgresql.org
Received: from localhost (unknown [200.46.204.144])
	by svr1.postgresql.org (Postfix) with ESMTP id 6C8E953820
	for <pgsql-docs-postgresql.org@localhost.postgresql.org>;
	Fri, 29 Apr 2005 13:48:29 -0300 (ADT)
Received: from svr1.postgresql.org ([200.46.204.71])
	by localhost (av.hub.org [200.46.204.144]) (amavisd-new, port 10024)
	with ESMTP id 28935-05
	for <pgsql-docs-postgresql.org@localhost.postgresql.org>;
	Fri, 29 Apr 2005 16:48:18 +0000 (GMT)
Received: from candle.pha.pa.us (candle.pha.pa.us [64.139.89.126])
	by svr1.postgresql.org (Postfix) with ESMTP id E357453810
	for <pgsql-docs@postgresql.org>; Fri, 29 Apr 2005 13:48:17 -0300 (ADT)
Received: (from pgman@localhost)
	by candle.pha.pa.us (8.11.6/8.11.6) id j3TGmFx13138;
	Fri, 29 Apr 2005 12:48:15 -0400 (EDT)
From: Bruce Momjian <pgman@candle.pha.pa.us>
Message-Id: <200504291648.j3TGmFx13138@candle.pha.pa.us>
Subject: Re: Using Encryption Patch to Docs
In-Reply-To: <20050429164435.EF70C4309@cbbrowne.com>
To: Christopher Browne <cbbrowne@cbbrowne.com>
Date: Fri, 29 Apr 2005 12:48:15 -0400 (EDT)
Cc: PostgreSQL-documentation <pgsql-docs@postgresql.org>
X-Mailer: ELM [version 2.4ME+ PL121 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
X-Virus-Scanned: by amavisd-new at hub.org
X-Spam-Status: No, hits=0.01 tagged_above=0 required=5 tests=AWL
X-Spam-Level: 
X-Archive-Number: 200504/32
X-Sequence-Number: 2962


Your patch has been added to the PostgreSQL unapplied patches list at:

	http://momjian.postgresql.org/cgi-bin/pgpatches

It will be applied as soon as one of the PostgreSQL committers reviews
and approves it.

---------------------------------------------------------------------------


Christopher Browne wrote:
> ? out
> Index: runtime.sgml
> ===================================================================
> RCS file: /projects/cvsroot/pgsql/doc/src/sgml/runtime.sgml,v
> retrieving revision 1.315
> diff -u -r1.315 runtime.sgml
> --- runtime.sgml	23 Apr 2005 03:27:40 -0000	1.315
> +++ runtime.sgml	29 Apr 2005 16:43:22 -0000
> @@ -5109,6 +5109,132 @@
>  
>   </sect1>
>  
> + <sect1 id="encryption-approaches">
> +   <title>Use of Encryption in <productname>PostgreSQL</productname></title>
> +   <indexterm zone="encryption-approaches">
> +    <primary>encryption</primary>
> +   </indexterm>
> +
> +   <para> There is increasing interest in having verifiable mechanisms
> +    to maintain the privacy of data in databases.  In the United
> +    States, legislation called <acronym>HIPAA</acronym> (Health
> +    Insurance Portability and Accountability Act) requires that
> +    personal health information is handled securely.  The European
> +    Union has similarly been developing directives as to how personal
> +    data is to be managed there.</para>
> +   
> +   <para> Questions frequently come up as to what functionality
> +    <productname>PostgreSQL</productname> offers with regard to
> +    supporting the use of data encryption.  It uses and provides use of
> +    encryption tools in several ways that may be useful to provide
> +    protection against certain classes of attacks.</para>
> +   
> +   <itemizedlist>
> +
> +    <listitem><para> Passwords stored in MD5 form </para>
> +
> +     <para> Passwords are normally not stored in
> +      <quote>plaintext</quote> form in the database; they are hashed
> +      using the built-in MD5 function, and <emphasis>that</emphasis> is
> +      what is stored in the database.  </para>
> +     
> +<programlisting>
> +sample=# alter user foo password 'some dumb value';
> +ALTER USER
> +sample=# select usename, passwd from pg_shadow where usename = 'foo';
> + usename |               passwd                
> +---------+-------------------------------------
> + foo     | md5740daa4aaa084d85eb97648084a43bbb
> +(1 row)
> +</programlisting>
> +
> +</listitem>
> +
> +    <listitem><para> Connections protected using SSL</para>
> +
> +      <para> There are various options to control how mandatory it is
> +      to use SSL to protect data connections.  At the most
> +      <quote>paranoid</quote> end of the spectrum, you can configure
> +      <filename>pg_hba.conf</filename> to have the database reject
> +      connections that do <emphasis>not</emphasis> come in via
> +      SSL.</para>
> +
> +      <para> The use of SSL, alone, is useful for protecting
> +      communications against interception.  It may not be necessary
> +      for connections that take place across a carefully controlled
> +      network; if connections are coming in from less controlled
> +      sources, its use is highly recommended.</para></listitem>
> +
> +    <listitem><para> Connections authenticated using SSL</para>
> +
> +     <para> It is possible for both the client and server to provide
> +      to one another SSL keys or certificates.  It takes some extra
> +      configuration on each side where these are used, but this likely
> +      provides stronger verification of identity than the mere use of a
> +      text password. </para></listitem>
> +
> +    <listitem><para> Using OS level encryption for entire database
> +      partitions</para>
> +
> +     <para> On Linux, encryption can be layered on top of a filesystem
> +      mount using what is called a <quote>loopback device;</quote> this
> +      permits having a whole filesystem partition be encrypted on disk,
> +      decrypted by the operating system.  On FreeBSD, the equivalent
> +      facility is called GEOM Based Disk Encryption, or
> +      <acronym>gbde</acronym>.</para>
> +
> +     <para> This mechanism may be expected to be useful for protecting
> +      against the threat that someone might pull disk drives out and
> +      try to install them somewhere else to draw data off of them.
> +     </para>
> +
> +     <para> In contrast, this mechanism does nothing to protect
> +      against attacks when the filesystem is mounted, because when
> +      mounted, the OS provides a <quote>view</quote> of the filesystem
> +      accessible in plain text form.  Furthermore, you need some way
> +      for the encryption key to be passed to the operating system in
> +      order to mount the filesystems, which encourages having the key
> +      accessible somewhere on the host that mounts the disk.
> +     </para></listitem>
> +
> +    <listitem><para> Using the contrib function library
> +      <function>pgcrypto</function> so the database engine manages
> +      encryption of certain fields.</para>
> +
> +     <para>If much of the data can be in plain text form, and only a
> +      subset is particularly sensitive, this mechanism supports
> +      treating them differently.  The encrypted data is only ever
> +      presented in <quote>unencrypted</quote> form while it is being
> +      communicated between client and server, and the use of an SSL
> +      layer of <quote>superencryption</quote> alleviates that
> +      problem.</para>
> +     
> +     <para> Unfortunately, in this approach, the encryption keys need
> +      to be present on the server, even if only for a moment, which
> +      presents the possibility of them being intercepted by someone
> +      with access to the database server.  As a result, this mechanism
> +      is not suitable for storage of data that is too sensitive for
> +      system administrators to have access to it. </para></listitem>
> +
> +    <listitem><para> Using cryptographic tools on the client </para>
> +
> +     <para> If it is not safe to trust the system administrators at
> +      least somewhat, you may find it necessary to encrypt data at the
> +      client level such that unencrypted data never appears on the
> +      database server.  This sort of <quote>paranoia</quote> is quite
> +      appropriate for applications where it would be damaging for data
> +      to be seen by inappropriate readers that might generally be
> +      considered trustworthy, as can be the case with
> +      medical and legal records.</para>
> +
> +     <para> Peter Wayner's book, <citation>Translucent
> +       Databases</citation>, discusses how to do this in considerable
> +      detail.</para></listitem>
> +
> +   </itemizedlist>
> +
> +  </sect1>
> +
>  </chapter>
>  
>  <!-- Keep this comment at the end of the file
> 

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073