And encrypting a tar.gz file presumes a pretty small database. (The --jobs=
option was added to pg_dump/pg_restore for just that reason.)
On 12/21/22 16:25, Benedict Holland wrote:
What would you be missing? You can encrypt databases. You can encrypt the
s3 buckets using kms. You can govern access via ssh Auth. When you do
backups, you can encrypt the tar.gz files or whatever format and store it
on s3. Same with the wal files. The fact that oracle charges for this is a
joke. Of course, you would need to ensure compliance with your opsec teams
and stuck with best security practices but it seems top to bottom
encryption is unrelated or tangentially related to the databases.
Also, if you lose the encryption keys for your backups then bad things
happen. I doubt what I did was production viable but I limited database
access to a handful of users, encrypted the disks, left the Wal files
unencrypted but mounted with read access for a single user, compressed
full backups with encryption and a password, generated sah keys for anyone
who needed service accounts to access the systems, enforced database
ownership permissions, and and gave server access to a tiny team with 2fa.
The way 8 figured it, if someone somehow rooted the box we were screwed
anyway.
For an internal database, this seemed sufficient. For an external
database, I would highly recommend paid consulting security firms or hire
people who know to build an externally facing platform.
Thanks
Ben
On Wed, Dec 21, 2022, 4:39 PM Rainer Duffner <rai...@ultra-secure.de> wrote:
Am 21.12.2022 um 22:34 schrieb Laurenz Albe <laurenz.a...@cybertec.at>:
There is no exact equivalent, but there is something similar and much
better: you can
authenticate the client with SSL client certificates:
https://www.postgresql.org/docs/current/auth-cert.html
Isn’t the wallet the part where the encryption keys are stored?
Indeed, one of the few remaining features that only Oracle (and of
course other commercial RDMSs) has seems to be full HSM support for TDE.
Rainer
--
Angular momentum makes the world go 'round.
