public inbox for [email protected]
help / color / mirror / Atom feedFrom: Bruce Momjian <[email protected]>
To: Adam Vande More <[email protected]>
Cc: Peter Eisentraut <[email protected]>
Cc: [email protected]
Subject: Re: Data Partition Encryption documentation
Date: Mon, 2 Dec 2013 16:15:00 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <CA+tpaK3Xshy2FhGQix3tuUYUs49gLYjpYPeXq-o1b-q3PRHwOA@mail.gmail.com>
References: <CA+tpaK19-Xb5MD7D-EOxJh811OryKZY8tXEVvarRDP--=SbZ4A@mail.gmail.com>
<[email protected]>
<CA+tpaK3Xshy2FhGQix3tuUYUs49gLYjpYPeXq-o1b-q3PRHwOA@mail.gmail.com>
List-Unsubscribe: <mailto:[email protected]?body=unsub%20pgsql-docs>
On Wed, Jun 19, 2013 at 09:45:34PM -0500, Adam Vande More wrote:
> On Wed, Jun 19, 2013 at 9:20 PM, Peter Eisentraut <[email protected]> wrote:
>
> On Thu, 2013-04-18 at 15:16 -0500, Adam Vande More wrote:
> > On this page http://www.postgresql.org/docs/9.2/static/
> encryption-options.html,
> > "gbde" is listed as the method for encrypting block devices. While
> > correct, "geli" is a much more appropriate mention as it's a more
> > powerful(e.g. aes-ni support) and secure(more ciphers, data
> > authentication,etc) solution.
>
> Could you provide an updated wording? (E.g., should we just replace
> gbde by geli, or list both?)
>
>
>
> Sure, here is a change that encompasses more than my original observation.
> Take or leave or modify what you wish.
>
>
> pseudo diff
>
> -"On Linux, encryption can be layered on top of a file system using a "loopback
> device". This allows an entire file system partition to be encrypted on disk,
> and decrypted by the operating system. On FreeBSD, the equivalent facility is
> called GEOM Based Disk Encryption (gbde), and many other operating systems
> support this functionality, including Windows."
>
> +"There are at least two methods of encrypting a file system. The first is to
> use a tool which implements an encrypted file system. On Linux, eCryptfs or
> EncFS are commonly used for this while FreeBSD uses PEFS. The other and
> perhaps more common method is to encrypt the block device a file system or swap
> partition resides on. These types of solutions can also provide full disk
> encryption. Linux generally uses dm-crypt + LUKS for this functionality with
> other options dependent on kernel version/distro. On FreeBSD, there are two
> GEOM modules to encrypt block devices: geli & gbde with geli being the
> preferred solution for speed, security, and options. Many other operating
> system have their own method of block device or full disk encryption."
I have developed the attached doc patch to improve our details around
storage encryption.
--
Bruce Momjian <[email protected]> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +
--
Sent via pgsql-docs mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-docs
Attachments:
[text/x-diff] crypt.diff (1.2K, 2-crypt.diff)
download | inline diff:
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
new file mode 100644
index ab51782..99c891a
*** a/doc/src/sgml/runtime.sgml
--- b/doc/src/sgml/runtime.sgml
*************** pg_dumpall -p 5432 | psql -d postgres -p
*** 1815,1826 ****
<listitem>
<para>
! On Linux, encryption can be layered on top of a file system
! using a <quote>loopback device</quote>. This allows an entire
! file system partition to be encrypted on disk, and decrypted by the
! operating system. On FreeBSD, the equivalent facility is called
! GEOM Based Disk Encryption (<acronym>gbde</acronym>), and many
! other operating systems support this functionality, including Windows.
</para>
<para>
--- 1815,1826 ----
<listitem>
<para>
! Storage encryption can be performed at the file system level or the
! block level. Linux file system encryption options include eCryptfs
! and EncFS, while FreeBSD uses PEFS. Block level or full disk
! encryption options include dm-crypt + LUKS on Linux and GEOM
! modules geli and gbde on FreeBSD. Many other operating systems
! support this functionality, including Windows.
</para>
<para>
view thread (5+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Data Partition Encryption documentation
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox