On 3/18/2010 11:59 AM, Daniel Eggleston wrote: > Full-disk encryption still requires that the DBA enter a > passphrase at the time of mounting the disks and doesn't solve anything > (and is less cross-platform, there may be many different flavors of Unix > including HP-UX, AIX, and Linux); and encryption of just the databases > allows the database application to optimize block-sizes (which differs > from file to file based on the data types being stored). > > Hacking the nodes will be a risk regardless - anybody gaining root is > game over, anyway. Once the database is mounted and accessed, PGP will > no longer be required; what I am trying to accomplish is entering the > PGP an arbitrarily long time before actually using it (i.e. infinite). >
Not sure exactly what sort of database you're using, but gpg (to my knowledge) doesn't do block-level/random access. You can't just mount the database, stop using pgp, and write a block here and a block there. You need to use gpg to encrypt the whole file on each write and decrypt on each read. If you've got an uber-database on a SAN where there's lots of reads and writes, and DBA's are tuning block size and what not, it seems like the wrong tool for the job.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
