SlideShare a Scribd company logo

PostgreSQL: Welcome To Total Security

Download as odp, pdf
Robert Bernier
Robert Bernier

The slides are from a one hour talk introducing the various security mechanisms used in postgres. It includes an overview of authentication, session encryption and high performance querying techniques of asymmetric (public key) encrypted data using functional indexes. The talk was given in 2015 LinuxFest at Bellingham Washington

1 of 38

Download presentation

Your download has started
Downloaded 29 times
1
Welcome to Total Security
2
04/25/15 robert7390@comcast.net 2 Welcome to Total Security The Ideal PostgreSQL DBA ● DBA ● Systems Administration ● Programming ie: C
3
04/25/15 robert7390@comcast.net 3 Welcome to Total Security What is Security?
4
04/25/15 robert7390@comcast.net 4 Welcome to Total Security About The Demo Environment Server ISO of Ubuntu, minimal installation http://www.ubuntu.com/download/server lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04.2 LTS Release: 14.04 Codename: trusty
5
04/25/15 robert7390@comcast.net 5 Welcome to Total Security Confirm nothing is running netstat -tlnp
6
04/25/15 robert7390@comcast.net 6 Welcome to Total Security Debian Install Update The Install; apt-get update apt-get dist-upgrade Review Existing Packages dpkg -l apt-cache search postgres | grep -E “^postgresql” | less -S Install PostgreSQL Packages: apt-get install postgresql postgresql-contrib Review Installation (9.3+) pg_lsclusters
7
04/25/15 robert7390@comcast.net 7 Welcome to Total Security Source Code Install ($HOME account) SRC: http://www.postgresql.org/ftp/source apt-get install libreadline6-dev zlib1g-dev libssl-dev ./configure –prefix=$HOME/pg93 –with-openssl make install-world Update PATH environment in $HOME: pg_config Create a 2nd cluster: initdb -D $HOME/data93 -U postgres -A trust pg_ctl -D $HOME/data93 -o '-c port=10093 -c unix_socket_directories=/tmp -c logging_collector=on' start
8
04/25/15 robert7390@comcast.net 8 Welcome to Total Security Before we continue... What did we just do?
9
04/25/15 robert7390@comcast.net 9 Welcome to Total Security Comparision: SRC vs Debian
10
04/25/15 robert7390@comcast.net 10 Welcome to Total Security About TCP, DOMAIN socket ports
11
04/25/15 robert7390@comcast.net 11 Welcome to Total Security About configuration files: pg_hba.conf postgresql.conf
12
04/25/15 robert7390@comcast.net 12 Welcome to Total Security PSQL Sessions
13
04/25/15 robert7390@comcast.net 13 Welcome to Total Security About Authentication Authentication Methods * Trust Authentication (pg_hba.conf) * Password Authentication GSSAPI Authentication (Kerberos) SSPI Authentication (ms-windows) Kerberos Authentication (Deprecated) Ident Authentication (Deprecated: pg_ident.conf) * Peer Authentication LDAP Authentication RADIUS Authentication * Certificate Authentication (SSL) PAM Authentication
14
04/25/15 robert7390@comcast.net 14 Welcome to Total Security About Host Based Authentication: pg_hba.conf
15
04/25/15 robert7390@comcast.net 15 Welcome to Total Security About ROLES One Approach Among Many
16
04/25/15 robert7390@comcast.net 16 Welcome to Total Security About ROLES DEFINING THE TYPES OF ROLES - superuser (postgres) - database owner - relations owner - role_rw (nologin) - user account roles (with login) - application, client, processes - sys administrators
17
04/25/15 robert7390@comcast.net 17 Welcome to Total Security About ROLES CREATING THE GENERIC ROLES create role db_owner with nologin; create role db with nologin; create role db_rw with nologin; comment on role db_owner is 'The owner of the database db'; comment on role db is 'The owner of the relations on database db'; comment on role db_rw is 'The role executing all DML operations';
18
04/25/15 robert7390@comcast.net 18 Welcome to Total Security About ROLES CREATE USERS create role robertbernier with login Inherit Password '123' valid until '31 dec 2017' in role db_owner, db, db_rw; create role user1 with login inherit password '123' valid until '31 dec 2017' -- Do we really want this ROLE to expire? in role db_rw; comment on role robertbernier is 'user account assigned as administrator'; comment on role user1 is 'user account for the client application(s)';
19
04/25/15 robert7390@comcast.net 19 Welcome to Total Security About The Database ---------------------------------------------------- create database db with owner db_owner; comment on database db is 'our working demo database'; ---------------------------------------------------- c db drop schema public; create schema db authorization db; comment on schema db is 'this is where all the relations go'; alter database db set search_path='db';
20
04/25/15 robert7390@comcast.net 20 Welcome to Total Security About The Demo Tables set ON_ERROR_STOP on set role db; create table t1 ( id serial primary key, x float not null default random(), t_stamp timestamp not null default now() ); create table t2(like t1 including all); create table t3(like t1 including all); insert into t1 default values; insert into t1 default values; insert into t1 default values; insert into t2 default values; insert into t2 default values; insert into t2 default values; insert into t3 default values; insert into t3 default values; insert into t3 default values;
21
04/25/15 robert7390@comcast.net 21 Welcome to Total Security About The Demo Tables ---------------------------------------------------- SET PRIVILEGES grant usage on schema db to db_rw; grant select, insert, update, delete on all tables in schema db to db_rw; grant usage on all sequences in schema db to db_rw; ---------------------------------------------------- VALIDATE PERMISSIONS set role user1; insert into t1 default values; insert into t2 default values; insert into t3 default values; table t1; table t2; table t3; CAVEAT: privileges must be declared for all new relations.
22
04/25/15 robert7390@comcast.net 22 Welcome to Total Security About The Demo Tables CONNECTION ATTEMPTS There's a double layer of authentication going on: - SQL PRIVILEGES - pg_hba.conf CAVEAT: This configuration prevents the superuser to login as the other user accounts. But he can still SET ROLE.
23
04/25/15 robert7390@comcast.net 23 Welcome to Total Security About CERTIFICATES
24
04/25/15 robert7390@comcast.net 24 Welcome to Total Security About CERTIFICATES, 1/2 # CREATE THE CERTIFICATE AUTHORITY (answer the questions) /usr/lib/ssl/misc/CA.pl -newca # CREATE A PRIVATE KEY, CRT REQUEST FOR POSTGRES SERVER /usr/lib/ssl/misc/CA.pl -newreq # SIGN THE CERTIFICATE REQUEST FOR POSTGRES CLIENT /usr/lib/ssl/misc/CA.pl -sign # RENAME KEY AND CERTIFICATE FOR POSTGRES CLIENT mv newreq.pem robertbernier_req.pem mv newkey.pem robertbernier_key.pem mv newcert.pem robertbernier_crt.pem # CREATE A PRIVATE KEY, CRT REQUEST FOR POSTGRES SERVER /usr/lib/ssl/misc/CA.pl -newreq # SIGN THE CERTIFICATE REQUEST FOR POSTGRES SERVER /usr/lib/ssl/misc/CA.pl -sign
25
04/25/15 robert7390@comcast.net 25 Welcome to Total Security About CERTIFICATES, 2/2 # RENAME KEY AND CERTIFICATE FOR POSTGRES SERVER mv newreq.pem postgres_req.pem mv newkey.pem postgres_key.pem mv newcert.pem postgres_crt.pem # UNLOCK KEYS / REMOVE PASSPHRASE openssl rsa -in robertbernier_key -out robertbernier.key openssl rsa -in postgres_key.pem -out postgres.key # INSTALL SERVER CERTIFICATE (you can still use snake oil as server certificate but client cannot validate server) # EDIT, postgresql.conf: ssl_key_file = '/etc/postgresql/9.3/main/cacert.pem' cp cacert.pem /etc/postgresql/9.3/main/ # INSTALL CLIENT CERTIFICATES (ROLE: "robertbernier", DIR: ".postgresql") cp robertbernier.key ~/.postgresql/postgresql.key cp robertbernier_crt.pem ~/.postgresql/postgresql.crt NOTE, alternate login: (works with any account via tcpip sockets) psql 'host=localhost dbname=db user=robertbernier sslcert=robertbernier_crt.pem sslkey=robertbernier.key' # CERTIFICATE PROPERTIES openssl x509 -purpose -inform PE -in ./demoCA/cacert.pem 2>&1 |less openssl x509 -purpose -inform PE -in robertbernier_crt.pem 2>&1 |less openssl x509 -purpose -inform PE -in postgres_crt.pem 2>&1 |less
26
04/25/15 robert7390@comcast.net 26 Welcome to Total Security About DATA ENCRYPTION
27
04/25/15 robert7390@comcast.net 27 Welcome to Total Security About DATA ENCRYPTION select * from pg_available_extensions; create extension pgcrypto; df -- functions of interest pgp_pub_encrypt() pgp_pub_decrypt()
28
04/25/15 robert7390@comcast.net 28 Welcome to Total Security About DATA ENCRYPTION ABOUT PGP (Pretty Good Privacy) GPG (GNU Privacy Guard) ---------------------------------------------------- USING GPG UNIX account: robertbernier@LinuxFest ------------- gpg --gen-key ------------- gpg --list-secret-keys sec 2048R/91E94413 2015-03-14 uid Robert Bernier (DBA/Architect) <robert.bernier@whitehatsec.com> ssb 2048R/5E58CCAA 2015-03-14 ------------- REMOVE PASSPHRASE FROM PRIVATE KEY RETURN BLANK WHEN ASKED TO CHANGE PASSWORD gpg --edit-key 5E58CCAA # getting the keys gpg -a --export 5E58CCAA |less gpg -a --export-secret-keys 5E58CCAA | less
29
04/25/15 robert7390@comcast.net 29 Welcome to Total Security WORKING WITH ENCRYPTED DATA SETUP DATABASE create table gpg ( id serial primary key, type varchar, key text ); create table confidential ( id serial primary key, message varchar, message_encrypted varchar ); ------------------------------------------------------ ( #!/bin/bash set -e SECRET="$(gpg --list-secret-keys | grep -E "^sec" | cut -d / -f 2 | cut -d ' ' -f 1)" PUBLIC=$(gpg -a --export $SECRET) PRIVATE=$(gpg -a --export-secret-keys $SECRET) psql db <<_eof_ insert into gpg(type,key) values ('public','$PUBLIC'); insert into gpg(type,key) values ('private','$PRIVATE'); _eof_ )
30
04/25/15 robert7390@comcast.net 30 Welcome to Total Security WORKING WITH ENCRYPTED DATA ENCRYPT/DECRYPT DATA -- encrypt with a(msg) as (values('my secret message')), b as (select msg, pgp_pub_encrypt(msg,dearmor(key)) as msg_e from gpg,a where type='public') insert into confidential(message,message_encrypted) select msg, msg_e from b; -- decrypt with a as (select dearmor(key) from gpg where type='private') select id, pgp_pub_decrypt(message_encrypted::bytea,dearmor), md5(message_encrypted) encrypted_checksum from confidential,a ;
31
04/25/15 robert7390@comcast.net 31 Welcome to Total Security WORKING WITH ENCRYPTED DATA
32
04/25/15 robert7390@comcast.net 32 Welcome to Total Security Demo: Tables                     Table "db.t1_mb"   Column  | Type  |              Modifiers ­­­­­­­­­­+­­­­­­­+­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­  uuid     | uuid  | not null default uuid_generate_v4()  uuid_enc | bytea |  passage  | text  | Indexes:     "t1_mb_pkey" PRIMARY KEY, btree (uuid) Referenced by:     TABLE "t2_mb" CONSTRAINT "t2_mb_uuid_fkey" FOREIGN KEY (uuid) REFERENCES  t1_mb(uuid)                             Table "db.t2_mb"   Column  |  Type   |                     Modifiers ­­­­­­­­­­+­­­­­­­­­+­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­  id       | integer | not null default nextval('t2_mb_id_seq'::regclass)  uuid     | uuid    |  uuid_enc | bytea   | Indexes:     "t2_mb_pkey" PRIMARY KEY, btree (id)     "t2_mb_f_wrapper_idx" UNIQUE, btree (f_wrapper(uuid_enc))     "t2_mb_uuid_idx" btree (uuid) Foreign­key constraints:     "t2_mb_uuid_fkey" FOREIGN KEY (uuid) REFERENCES t1_mb(uuid)
33
04/25/15 robert7390@comcast.net 33 Welcome to Total Security Demo: FUNCTIONS CREATE OR REPLACE FUNCTION f_private_key (     OUT key bytea ) AS $$ BEGIN ­­ bytea, escape encoded, private key is shortened key='x95039804550466450108....'; END; $$ LANGUAGE PLPGSQL IMMUTABLE; CREATE OR REPLACE FUNCTION f_wrapper (     IN  a BYTEA,     OUT b TEXT ) AS $$ BEGIN     b=pgp_pub_decrypt(a,f_private_key()); END; $$ LANGUAGE PLPGSQL IMMUTABLE;
34
04/25/15 robert7390@comcast.net 34 Welcome to Total Security Demo: FUNCTIONAL INDEXES CREATE [ UNIQUE ] INDEX [ CONCURRENTLY ] [ name ] ON table [ USING method ]     ( { column | ( expression ) } [ opclass ] [ ASC | DESC ] [ NULLS { FIRST |  LAST } ] [, ...] )     [ WITH ( storage_parameter = value [, ... ] ) ]     [ TABLESPACE tablespace ]     [ WHERE predicate ]
35
04/25/15 robert7390@comcast.net 35 Welcome to Total Security Demo: Indexes ­­ unencrypted column create index on t2_mb(uuid); ­­ encrypted column, functional index create unique index on t2_mb(f_wrapper(uuid_enc));
36
04/25/15 robert7390@comcast.net 36 Welcome to Total Security TYPE QUERY TIME COMMENTS Unencrypted 00.05ms Pulling out one record at a time Encrypted 00.05ms Unencrypted 14.00ms Join on column “uuid” Encrypted 6,800ms Encrypted 23.00ms explain analyze select id, passage from t2_mb,t1_mb where t2_mb.uuid='018cf2e7-ef0f-483d-8221-80c0d538632a'; explain analyze select id, passage from t2_mb,t1_mb where f_wrapper(t2_mb.uuid_enc)='018cf2e7-ef0f-483d-8221-80c0d538632a'; explain analyze select id, passage from t1_mb join t2_mb on t1_mb.uuid=t2_mb.uuid order by id asc; explain analyze select id, passage from t2_mb join t1_mb on f_wrapper(t2_mb.uuid_enc)=t1_mb.uuid::text order by id asc; The functional index isn't being used, this is a postgres bug with the planner explain analyze select id, passage from t2_mb join t1_mb on f_wrapper(t2_mb.uuid_enc)=t1_mb.uuid::text order by id asc; The functional index works! Set the following runtime environment variables before executing the query: set enable_hashjoin to off; set enable_mergejoin to off;
37
04/25/15 robert7390@comcast.net 37 Welcome to Total Security REFERENCES ● http://www.postgresql.org/docs/9.3/static/index.html ● http://www.postgresql.org/docs/9.3/static/pgcrypto.html ● https://www.openssl.org/docs/apps/CA.pl.html ● https://www.gnupg.org/ ● Functional Indexes http://www.postgresql.org/message-id/13312.1425430126@sss.pgh.pa.us
38
04/25/15 robert7390@comcast.net 38 Welcome to Total Security The End
Welcome to Total Security
04/25/15 robert7390@comcast.net 2 Welcome to Total Security The Ideal PostgreSQL DBA ● DBA ● Systems Administration ● Programming ie: C
04/25/15 robert7390@comcast.net 3 Welcome to Total Security What is Security?
04/25/15 robert7390@comcast.net 4 Welcome to Total Security About The Demo Environment Server ISO of Ubuntu, minimal installation http://www.ubuntu.com/download/server lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04.2 LTS Release: 14.04 Codename: trusty
04/25/15 robert7390@comcast.net 5 Welcome to Total Security Confirm nothing is running netstat -tlnp
04/25/15 robert7390@comcast.net 6 Welcome to Total Security Debian Install Update The Install; apt-get update apt-get dist-upgrade Review Existing Packages dpkg -l apt-cache search postgres | grep -E “^postgresql” | less -S Install PostgreSQL Packages: apt-get install postgresql postgresql-contrib Review Installation (9.3+) pg_lsclusters
04/25/15 robert7390@comcast.net 7 Welcome to Total Security Source Code Install ($HOME account) SRC: http://www.postgresql.org/ftp/source apt-get install libreadline6-dev zlib1g-dev libssl-dev ./configure –prefix=$HOME/pg93 –with-openssl make install-world Update PATH environment in $HOME: pg_config Create a 2nd cluster: initdb -D $HOME/data93 -U postgres -A trust pg_ctl -D $HOME/data93 -o '-c port=10093 -c unix_socket_directories=/tmp -c logging_collector=on' start
04/25/15 robert7390@comcast.net 8 Welcome to Total Security Before we continue... What did we just do?
04/25/15 robert7390@comcast.net 9 Welcome to Total Security Comparision: SRC vs Debian
04/25/15 robert7390@comcast.net 10 Welcome to Total Security About TCP, DOMAIN socket ports
04/25/15 robert7390@comcast.net 11 Welcome to Total Security About configuration files: pg_hba.conf postgresql.conf
04/25/15 robert7390@comcast.net 12 Welcome to Total Security PSQL Sessions
04/25/15 robert7390@comcast.net 13 Welcome to Total Security About Authentication Authentication Methods * Trust Authentication (pg_hba.conf) * Password Authentication GSSAPI Authentication (Kerberos) SSPI Authentication (ms-windows) Kerberos Authentication (Deprecated) Ident Authentication (Deprecated: pg_ident.conf) * Peer Authentication LDAP Authentication RADIUS Authentication * Certificate Authentication (SSL) PAM Authentication
04/25/15 robert7390@comcast.net 14 Welcome to Total Security About Host Based Authentication: pg_hba.conf
04/25/15 robert7390@comcast.net 15 Welcome to Total Security About ROLES One Approach Among Many
04/25/15 robert7390@comcast.net 16 Welcome to Total Security About ROLES DEFINING THE TYPES OF ROLES - superuser (postgres) - database owner - relations owner - role_rw (nologin) - user account roles (with login) - application, client, processes - sys administrators
04/25/15 robert7390@comcast.net 17 Welcome to Total Security About ROLES CREATING THE GENERIC ROLES create role db_owner with nologin; create role db with nologin; create role db_rw with nologin; comment on role db_owner is 'The owner of the database db'; comment on role db is 'The owner of the relations on database db'; comment on role db_rw is 'The role executing all DML operations';
04/25/15 robert7390@comcast.net 18 Welcome to Total Security About ROLES CREATE USERS create role robertbernier with login Inherit Password '123' valid until '31 dec 2017' in role db_owner, db, db_rw; create role user1 with login inherit password '123' valid until '31 dec 2017' -- Do we really want this ROLE to expire? in role db_rw; comment on role robertbernier is 'user account assigned as administrator'; comment on role user1 is 'user account for the client application(s)';
04/25/15 robert7390@comcast.net 19 Welcome to Total Security About The Database ---------------------------------------------------- create database db with owner db_owner; comment on database db is 'our working demo database'; ---------------------------------------------------- c db drop schema public; create schema db authorization db; comment on schema db is 'this is where all the relations go'; alter database db set search_path='db';
04/25/15 robert7390@comcast.net 20 Welcome to Total Security About The Demo Tables set ON_ERROR_STOP on set role db; create table t1 ( id serial primary key, x float not null default random(), t_stamp timestamp not null default now() ); create table t2(like t1 including all); create table t3(like t1 including all); insert into t1 default values; insert into t1 default values; insert into t1 default values; insert into t2 default values; insert into t2 default values; insert into t2 default values; insert into t3 default values; insert into t3 default values; insert into t3 default values;
04/25/15 robert7390@comcast.net 21 Welcome to Total Security About The Demo Tables ---------------------------------------------------- SET PRIVILEGES grant usage on schema db to db_rw; grant select, insert, update, delete on all tables in schema db to db_rw; grant usage on all sequences in schema db to db_rw; ---------------------------------------------------- VALIDATE PERMISSIONS set role user1; insert into t1 default values; insert into t2 default values; insert into t3 default values; table t1; table t2; table t3; CAVEAT: privileges must be declared for all new relations.
04/25/15 robert7390@comcast.net 22 Welcome to Total Security About The Demo Tables CONNECTION ATTEMPTS There's a double layer of authentication going on: - SQL PRIVILEGES - pg_hba.conf CAVEAT: This configuration prevents the superuser to login as the other user accounts. But he can still SET ROLE.
04/25/15 robert7390@comcast.net 23 Welcome to Total Security About CERTIFICATES
04/25/15 robert7390@comcast.net 24 Welcome to Total Security About CERTIFICATES, 1/2 # CREATE THE CERTIFICATE AUTHORITY (answer the questions) /usr/lib/ssl/misc/CA.pl -newca # CREATE A PRIVATE KEY, CRT REQUEST FOR POSTGRES SERVER /usr/lib/ssl/misc/CA.pl -newreq # SIGN THE CERTIFICATE REQUEST FOR POSTGRES CLIENT /usr/lib/ssl/misc/CA.pl -sign # RENAME KEY AND CERTIFICATE FOR POSTGRES CLIENT mv newreq.pem robertbernier_req.pem mv newkey.pem robertbernier_key.pem mv newcert.pem robertbernier_crt.pem # CREATE A PRIVATE KEY, CRT REQUEST FOR POSTGRES SERVER /usr/lib/ssl/misc/CA.pl -newreq # SIGN THE CERTIFICATE REQUEST FOR POSTGRES SERVER /usr/lib/ssl/misc/CA.pl -sign
04/25/15 robert7390@comcast.net 25 Welcome to Total Security About CERTIFICATES, 2/2 # RENAME KEY AND CERTIFICATE FOR POSTGRES SERVER mv newreq.pem postgres_req.pem mv newkey.pem postgres_key.pem mv newcert.pem postgres_crt.pem # UNLOCK KEYS / REMOVE PASSPHRASE openssl rsa -in robertbernier_key -out robertbernier.key openssl rsa -in postgres_key.pem -out postgres.key # INSTALL SERVER CERTIFICATE (you can still use snake oil as server certificate but client cannot validate server) # EDIT, postgresql.conf: ssl_key_file = '/etc/postgresql/9.3/main/cacert.pem' cp cacert.pem /etc/postgresql/9.3/main/ # INSTALL CLIENT CERTIFICATES (ROLE: "robertbernier", DIR: ".postgresql") cp robertbernier.key ~/.postgresql/postgresql.key cp robertbernier_crt.pem ~/.postgresql/postgresql.crt NOTE, alternate login: (works with any account via tcpip sockets) psql 'host=localhost dbname=db user=robertbernier sslcert=robertbernier_crt.pem sslkey=robertbernier.key' # CERTIFICATE PROPERTIES openssl x509 -purpose -inform PE -in ./demoCA/cacert.pem 2>&1 |less openssl x509 -purpose -inform PE -in robertbernier_crt.pem 2>&1 |less openssl x509 -purpose -inform PE -in postgres_crt.pem 2>&1 |less
04/25/15 robert7390@comcast.net 26 Welcome to Total Security About DATA ENCRYPTION
04/25/15 robert7390@comcast.net 27 Welcome to Total Security About DATA ENCRYPTION select * from pg_available_extensions; create extension pgcrypto; df -- functions of interest pgp_pub_encrypt() pgp_pub_decrypt()
04/25/15 robert7390@comcast.net 28 Welcome to Total Security About DATA ENCRYPTION ABOUT PGP (Pretty Good Privacy) GPG (GNU Privacy Guard) ---------------------------------------------------- USING GPG UNIX account: robertbernier@LinuxFest ------------- gpg --gen-key ------------- gpg --list-secret-keys sec 2048R/91E94413 2015-03-14 uid Robert Bernier (DBA/Architect) <robert.bernier@whitehatsec.com> ssb 2048R/5E58CCAA 2015-03-14 ------------- REMOVE PASSPHRASE FROM PRIVATE KEY RETURN BLANK WHEN ASKED TO CHANGE PASSWORD gpg --edit-key 5E58CCAA # getting the keys gpg -a --export 5E58CCAA |less gpg -a --export-secret-keys 5E58CCAA | less
04/25/15 robert7390@comcast.net 29 Welcome to Total Security WORKING WITH ENCRYPTED DATA SETUP DATABASE create table gpg ( id serial primary key, type varchar, key text ); create table confidential ( id serial primary key, message varchar, message_encrypted varchar ); ------------------------------------------------------ ( #!/bin/bash set -e SECRET="$(gpg --list-secret-keys | grep -E "^sec" | cut -d / -f 2 | cut -d ' ' -f 1)" PUBLIC=$(gpg -a --export $SECRET) PRIVATE=$(gpg -a --export-secret-keys $SECRET) psql db <<_eof_ insert into gpg(type,key) values ('public','$PUBLIC'); insert into gpg(type,key) values ('private','$PRIVATE'); _eof_ )
04/25/15 robert7390@comcast.net 30 Welcome to Total Security WORKING WITH ENCRYPTED DATA ENCRYPT/DECRYPT DATA -- encrypt with a(msg) as (values('my secret message')), b as (select msg, pgp_pub_encrypt(msg,dearmor(key)) as msg_e from gpg,a where type='public') insert into confidential(message,message_encrypted) select msg, msg_e from b; -- decrypt with a as (select dearmor(key) from gpg where type='private') select id, pgp_pub_decrypt(message_encrypted::bytea,dearmor), md5(message_encrypted) encrypted_checksum from confidential,a ;
04/25/15 robert7390@comcast.net 31 Welcome to Total Security WORKING WITH ENCRYPTED DATA
04/25/15 robert7390@comcast.net 32 Welcome to Total Security Demo: Tables                     Table "db.t1_mb"   Column  | Type  |              Modifiers ­­­­­­­­­­+­­­­­­­+­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­  uuid     | uuid  | not null default uuid_generate_v4()  uuid_enc | bytea |  passage  | text  | Indexes:     "t1_mb_pkey" PRIMARY KEY, btree (uuid) Referenced by:     TABLE "t2_mb" CONSTRAINT "t2_mb_uuid_fkey" FOREIGN KEY (uuid) REFERENCES  t1_mb(uuid)                             Table "db.t2_mb"   Column  |  Type   |                     Modifiers ­­­­­­­­­­+­­­­­­­­­+­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­  id       | integer | not null default nextval('t2_mb_id_seq'::regclass)  uuid     | uuid    |  uuid_enc | bytea   | Indexes:     "t2_mb_pkey" PRIMARY KEY, btree (id)     "t2_mb_f_wrapper_idx" UNIQUE, btree (f_wrapper(uuid_enc))     "t2_mb_uuid_idx" btree (uuid) Foreign­key constraints:     "t2_mb_uuid_fkey" FOREIGN KEY (uuid) REFERENCES t1_mb(uuid)
04/25/15 robert7390@comcast.net 33 Welcome to Total Security Demo: FUNCTIONS CREATE OR REPLACE FUNCTION f_private_key (     OUT key bytea ) AS $$ BEGIN ­­ bytea, escape encoded, private key is shortened key='x95039804550466450108....'; END; $$ LANGUAGE PLPGSQL IMMUTABLE; CREATE OR REPLACE FUNCTION f_wrapper (     IN  a BYTEA,     OUT b TEXT ) AS $$ BEGIN     b=pgp_pub_decrypt(a,f_private_key()); END; $$ LANGUAGE PLPGSQL IMMUTABLE;
04/25/15 robert7390@comcast.net 34 Welcome to Total Security Demo: FUNCTIONAL INDEXES CREATE [ UNIQUE ] INDEX [ CONCURRENTLY ] [ name ] ON table [ USING method ]     ( { column | ( expression ) } [ opclass ] [ ASC | DESC ] [ NULLS { FIRST |  LAST } ] [, ...] )     [ WITH ( storage_parameter = value [, ... ] ) ]     [ TABLESPACE tablespace ]     [ WHERE predicate ]
04/25/15 robert7390@comcast.net 35 Welcome to Total Security Demo: Indexes ­­ unencrypted column create index on t2_mb(uuid); ­­ encrypted column, functional index create unique index on t2_mb(f_wrapper(uuid_enc));
04/25/15 robert7390@comcast.net 36 Welcome to Total Security TYPE QUERY TIME COMMENTS Unencrypted 00.05ms Pulling out one record at a time Encrypted 00.05ms Unencrypted 14.00ms Join on column “uuid” Encrypted 6,800ms Encrypted 23.00ms explain analyze select id, passage from t2_mb,t1_mb where t2_mb.uuid='018cf2e7-ef0f-483d-8221-80c0d538632a'; explain analyze select id, passage from t2_mb,t1_mb where f_wrapper(t2_mb.uuid_enc)='018cf2e7-ef0f-483d-8221-80c0d538632a'; explain analyze select id, passage from t1_mb join t2_mb on t1_mb.uuid=t2_mb.uuid order by id asc; explain analyze select id, passage from t2_mb join t1_mb on f_wrapper(t2_mb.uuid_enc)=t1_mb.uuid::text order by id asc; The functional index isn't being used, this is a postgres bug with the planner explain analyze select id, passage from t2_mb join t1_mb on f_wrapper(t2_mb.uuid_enc)=t1_mb.uuid::text order by id asc; The functional index works! Set the following runtime environment variables before executing the query: set enable_hashjoin to off; set enable_mergejoin to off;
04/25/15 robert7390@comcast.net 37 Welcome to Total Security REFERENCES ● http://www.postgresql.org/docs/9.3/static/index.html ● http://www.postgresql.org/docs/9.3/static/pgcrypto.html ● https://www.openssl.org/docs/apps/CA.pl.html ● https://www.gnupg.org/ ● Functional Indexes http://www.postgresql.org/message-id/13312.1425430126@sss.pgh.pa.us
04/25/15 robert7390@comcast.net 38 Welcome to Total Security The End

Recommended

PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsPostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
Faisal Akber
 
Secure PostgreSQL deployment
Secure PostgreSQL deploymentSecure PostgreSQL deployment
Secure PostgreSQL deployment
Command Prompt., Inc
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_Tutorial
Vibhor Kumar
 
A Performance Characterization of Postgres on Different Storage Systems
A Performance Characterization of Postgres on Different Storage SystemsA Performance Characterization of Postgres on Different Storage Systems
A Performance Characterization of Postgres on Different Storage Systems
Dong Ye
 
How to monitor NGINX
How to monitor NGINXHow to monitor NGINX
How to monitor NGINX
Server Density
 
Squid proxy-configuration-guide
Squid proxy-configuration-guideSquid proxy-configuration-guide
Squid proxy-configuration-guide
jasembo
 
Nginx - Tips and Tricks.
Nginx - Tips and Tricks.Nginx - Tips and Tricks.
Nginx - Tips and Tricks.
Harish S
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load Balancing
NGINX, Inc.
 
Load Balancing with Nginx
Load Balancing with NginxLoad Balancing with Nginx
Load Balancing with Nginx
Marian Marinov
 
Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!
Trygve Vea
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - Slides
Severalnines
 
Squid Server
Squid ServerSquid Server
Squid Server
Sumant Garg
 
Introduction to NGINX web server
Introduction to NGINX web serverIntroduction to NGINX web server
Introduction to NGINX web server
Md Waresul Islam
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?
Men and Mice
 
Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014
bryan_call
 
Nginx dhruba mandal
Nginx dhruba mandalNginx dhruba mandal
Nginx dhruba mandal
Dhrubaji Mandal ♛
 
Varnish SSL / TLS
Varnish SSL / TLSVarnish SSL / TLS
Varnish SSL / TLS
Varnish Software
 
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
Ji-Woong Choi
 
Squid server
Squid serverSquid server
Squid server
Rohit Phulsunge
 
ReplacingSquidWithATS
ReplacingSquidWithATSReplacingSquidWithATS
ReplacingSquidWithATS
Chiranjeevi Jaladi
 
Squid Proxy Server
Squid Proxy ServerSquid Proxy Server
Squid Proxy Server
13bcs0012
 
Nginx
NginxNginx
Nginx
Geeta Vinnakota
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX Plus
NGINX, Inc.
 
Project on squid proxy in rhel 6
Project on squid proxy in rhel 6Project on squid proxy in rhel 6
Project on squid proxy in rhel 6
Nutan Kumar Panda
 
Squid
SquidSquid
Squid
Syeda Javeria
 
How To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesHow To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - Slides
Severalnines
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
Men and Mice
 
Docker and Fargate
Docker and FargateDocker and Fargate
Docker and Fargate
Shinji Miyazato
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
EDB
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
EDB
 

More Related Content

What's hot (20)

Load Balancing with Nginx
Load Balancing with NginxLoad Balancing with Nginx
Load Balancing with Nginx
Marian Marinov
 
Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!
Trygve Vea
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - Slides
Severalnines
 
Squid Server
Squid ServerSquid Server
Squid Server
Sumant Garg
 
Introduction to NGINX web server
Introduction to NGINX web serverIntroduction to NGINX web server
Introduction to NGINX web server
Md Waresul Islam
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?
Men and Mice
 
Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014
bryan_call
 
Nginx dhruba mandal
Nginx dhruba mandalNginx dhruba mandal
Nginx dhruba mandal
Dhrubaji Mandal ♛
 
Varnish SSL / TLS
Varnish SSL / TLSVarnish SSL / TLS
Varnish SSL / TLS
Varnish Software
 
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
Ji-Woong Choi
 
Squid server
Squid serverSquid server
Squid server
Rohit Phulsunge
 
ReplacingSquidWithATS
ReplacingSquidWithATSReplacingSquidWithATS
ReplacingSquidWithATS
Chiranjeevi Jaladi
 
Squid Proxy Server
Squid Proxy ServerSquid Proxy Server
Squid Proxy Server
13bcs0012
 
Nginx
NginxNginx
Nginx
Geeta Vinnakota
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX Plus
NGINX, Inc.
 
Project on squid proxy in rhel 6
Project on squid proxy in rhel 6Project on squid proxy in rhel 6
Project on squid proxy in rhel 6
Nutan Kumar Panda
 
Squid
SquidSquid
Squid
Syeda Javeria
 
How To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesHow To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - Slides
Severalnines
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
Men and Mice
 
Docker and Fargate
Docker and FargateDocker and Fargate
Docker and Fargate
Shinji Miyazato
 
Load Balancing with Nginx
Load Balancing with NginxLoad Balancing with Nginx
Load Balancing with Nginx
Marian Marinov
 
Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!
Trygve Vea
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - Slides
Severalnines
 
Squid Server
Squid ServerSquid Server
Squid Server
Sumant Garg
 
Introduction to NGINX web server
Introduction to NGINX web serverIntroduction to NGINX web server
Introduction to NGINX web server
Md Waresul Islam
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?
Men and Mice
 
Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014
bryan_call
 
Nginx dhruba mandal
Nginx dhruba mandalNginx dhruba mandal
Nginx dhruba mandal
Dhrubaji Mandal ♛
 
Varnish SSL / TLS
Varnish SSL / TLSVarnish SSL / TLS
Varnish SSL / TLS
Varnish Software
 
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
Ji-Woong Choi
 
Squid server
Squid serverSquid server
Squid server
Rohit Phulsunge
 
ReplacingSquidWithATS
ReplacingSquidWithATSReplacingSquidWithATS
ReplacingSquidWithATS
Chiranjeevi Jaladi
 
Squid Proxy Server
Squid Proxy ServerSquid Proxy Server
Squid Proxy Server
13bcs0012
 
Nginx
NginxNginx
Nginx
Geeta Vinnakota
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX Plus
NGINX, Inc.
 
Project on squid proxy in rhel 6
Project on squid proxy in rhel 6Project on squid proxy in rhel 6
Project on squid proxy in rhel 6
Nutan Kumar Panda
 
Squid
SquidSquid
Squid
Syeda Javeria
 
How To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesHow To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - Slides
Severalnines
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
Men and Mice
 
Docker and Fargate
Docker and FargateDocker and Fargate
Docker and Fargate
Shinji Miyazato
 

Similar to PostgreSQL: Welcome To Total Security (20)

Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
EDB
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
EDB
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
EDB
 
Enterprise-class security with PostgreSQL - 1
Enterprise-class security with PostgreSQL - 1Enterprise-class security with PostgreSQL - 1
Enterprise-class security with PostgreSQL - 1
Ashnikbiz
 
PostgreSQL Security. How Do We Think?
PostgreSQL Security. How Do We Think?PostgreSQL Security. How Do We Think?
PostgreSQL Security. How Do We Think?
Ohyama Masanori
 
PostgreSQL Security. How Do We Think? at PGCon 2017
PostgreSQL Security. How Do We Think? at PGCon 2017PostgreSQL Security. How Do We Think? at PGCon 2017
PostgreSQL Security. How Do We Think? at PGCon 2017
Ohyama Masanori
 
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus HaganderPG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
pgdayrussia
 
Expanding with EDB Postgres Advanced Server 9.5
Expanding with EDB Postgres Advanced Server 9.5Expanding with EDB Postgres Advanced Server 9.5
Expanding with EDB Postgres Advanced Server 9.5
EDB
 
postgres_data_security_2017
postgres_data_security_2017postgres_data_security_2017
postgres_data_security_2017
Payal Singh
 
Transparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLTransparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQL
Masahiko Sawada
 
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Masahiko Sawada
 
The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)
Sarah Conway
 
Creating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseCreating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres Database
EDB
 
Securing PostgreSQL from External Attack
Securing PostgreSQL from External AttackSecuring PostgreSQL from External Attack
Securing PostgreSQL from External Attack
All Things Open
 
Enterprise grade deployment and security with PostgreSQL
Enterprise grade deployment and security with PostgreSQLEnterprise grade deployment and security with PostgreSQL
Enterprise grade deployment and security with PostgreSQL
Himanchali -
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot
 
Presentation database security enhancements with oracle
Presentation database security enhancements with oraclePresentation database security enhancements with oracle
Presentation database security enhancements with oracle
xKinAnx
 
PostgreSQL : Introduction
PostgreSQL : IntroductionPostgreSQL : Introduction
PostgreSQL : Introduction
Open Source School
 
2022-Db2-Securing_Your_data_in_motion.pdf
2022-Db2-Securing_Your_data_in_motion.pdf2022-Db2-Securing_Your_data_in_motion.pdf
2022-Db2-Securing_Your_data_in_motion.pdf
Roland Schock
 
GUC Tutorial Package (9.0)
GUC Tutorial Package (9.0)GUC Tutorial Package (9.0)
GUC Tutorial Package (9.0)
PostgreSQL Experts, Inc.
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
EDB
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
EDB
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
EDB
 
Enterprise-class security with PostgreSQL - 1
Enterprise-class security with PostgreSQL - 1Enterprise-class security with PostgreSQL - 1
Enterprise-class security with PostgreSQL - 1
Ashnikbiz
 
PostgreSQL Security. How Do We Think?
PostgreSQL Security. How Do We Think?PostgreSQL Security. How Do We Think?
PostgreSQL Security. How Do We Think?
Ohyama Masanori
 
PostgreSQL Security. How Do We Think? at PGCon 2017
PostgreSQL Security. How Do We Think? at PGCon 2017PostgreSQL Security. How Do We Think? at PGCon 2017
PostgreSQL Security. How Do We Think? at PGCon 2017
Ohyama Masanori
 
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus HaganderPG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
pgdayrussia
 
Expanding with EDB Postgres Advanced Server 9.5
Expanding with EDB Postgres Advanced Server 9.5Expanding with EDB Postgres Advanced Server 9.5
Expanding with EDB Postgres Advanced Server 9.5
EDB
 
postgres_data_security_2017
postgres_data_security_2017postgres_data_security_2017
postgres_data_security_2017
Payal Singh
 
Transparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLTransparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQL
Masahiko Sawada
 
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Masahiko Sawada
 
The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)
Sarah Conway
 
Creating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseCreating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres Database
EDB
 
Securing PostgreSQL from External Attack
Securing PostgreSQL from External AttackSecuring PostgreSQL from External Attack
Securing PostgreSQL from External Attack
All Things Open
 
Enterprise grade deployment and security with PostgreSQL
Enterprise grade deployment and security with PostgreSQLEnterprise grade deployment and security with PostgreSQL
Enterprise grade deployment and security with PostgreSQL
Himanchali -
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot
 
Presentation database security enhancements with oracle
Presentation database security enhancements with oraclePresentation database security enhancements with oracle
Presentation database security enhancements with oracle
xKinAnx
 
PostgreSQL : Introduction
PostgreSQL : IntroductionPostgreSQL : Introduction
PostgreSQL : Introduction
Open Source School
 
2022-Db2-Securing_Your_data_in_motion.pdf
2022-Db2-Securing_Your_data_in_motion.pdf2022-Db2-Securing_Your_data_in_motion.pdf
2022-Db2-Securing_Your_data_in_motion.pdf
Roland Schock
 
GUC Tutorial Package (9.0)
GUC Tutorial Package (9.0)GUC Tutorial Package (9.0)
GUC Tutorial Package (9.0)
PostgreSQL Experts, Inc.
 

Recently uploaded (20)

SDG 9000 Series: Unleashing multigigabit everywhere
SDG 9000 Series: Unleashing multigigabit everywhereSDG 9000 Series: Unleashing multigigabit everywhere
SDG 9000 Series: Unleashing multigigabit everywhere
Adtran
 
Introducing FME Realize: A New Era of Spatial Computing and AR
Introducing FME Realize: A New Era of Spatial Computing and ARIntroducing FME Realize: A New Era of Spatial Computing and AR
Introducing FME Realize: A New Era of Spatial Computing and AR
Safe Software
 
Kubernetes Cloud Native Indonesia Meetup - May 2025
Kubernetes Cloud Native Indonesia Meetup - May 2025Kubernetes Cloud Native Indonesia Meetup - May 2025
Kubernetes Cloud Native Indonesia Meetup - May 2025
Prasta Maha
 
Maxx nft market place new generation nft marketing place
Maxx nft market place new generation nft marketing placeMaxx nft market place new generation nft marketing place
Maxx nft market place new generation nft marketing place
usersalmanrazdelhi
 
UiPath Community Zurich: Release Management and Build Pipelines
UiPath Community Zurich: Release Management and Build PipelinesUiPath Community Zurich: Release Management and Build Pipelines
UiPath Community Zurich: Release Management and Build Pipelines
UiPathCommunity
 
European Accessibility Act & Integrated Accessibility Testing
European Accessibility Act & Integrated Accessibility TestingEuropean Accessibility Act & Integrated Accessibility Testing
European Accessibility Act & Integrated Accessibility Testing
Julia Undeutsch
 
Improving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevExImproving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevEx
Justin Reock
 
Measuring Microsoft 365 Copilot and Gen AI Success
Measuring Microsoft 365 Copilot and Gen AI SuccessMeasuring Microsoft 365 Copilot and Gen AI Success
Measuring Microsoft 365 Copilot and Gen AI Success
Nikki Chapple
 
Multistream in SIP and NoSIP @ OpenSIPS Summit 2025
Multistream in SIP and NoSIP @ OpenSIPS Summit 2025Multistream in SIP and NoSIP @ OpenSIPS Summit 2025
Multistream in SIP and NoSIP @ OpenSIPS Summit 2025
Lorenzo Miniero
 
Introducing the OSA 3200 SP and OSA 3250 ePRC
Introducing the OSA 3200 SP and OSA 3250 ePRCIntroducing the OSA 3200 SP and OSA 3250 ePRC
Introducing the OSA 3200 SP and OSA 3250 ePRC
Adtran
 
Cyber security cyber security cyber security cyber security cyber security cy...
Cyber security cyber security cyber security cyber security cyber security cy...Cyber security cyber security cyber security cyber security cyber security cy...
Cyber security cyber security cyber security cyber security cyber security cy...
pranavbodhak
 
6th Power Grid Model Meetup - 21 May 2025
6th Power Grid Model Meetup - 21 May 20256th Power Grid Model Meetup - 21 May 2025
6th Power Grid Model Meetup - 21 May 2025
DanBrown980551
 
Cybersecurity Fundamentals: Apprentice - Palo Alto Certificate
Cybersecurity Fundamentals: Apprentice - Palo Alto CertificateCybersecurity Fundamentals: Apprentice - Palo Alto Certificate
Cybersecurity Fundamentals: Apprentice - Palo Alto Certificate
VICTOR MAESTRE RAMIREZ
 
Agentic AI - The New Era of Intelligence
Agentic AI - The New Era of IntelligenceAgentic AI - The New Era of Intelligence
Agentic AI - The New Era of Intelligence
Muzammil Shah
 
Fortinet Certified Associate in Cybersecurity
Fortinet Certified Associate in CybersecurityFortinet Certified Associate in Cybersecurity
Fortinet Certified Associate in Cybersecurity
VICTOR MAESTRE RAMIREZ
 
GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...
GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...
GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...
James Anderson
 
Palo Alto Networks Cybersecurity Foundation
Palo Alto Networks Cybersecurity FoundationPalo Alto Networks Cybersecurity Foundation
Palo Alto Networks Cybersecurity Foundation
VICTOR MAESTRE RAMIREZ
 
Data Virtualization: Bringing the Power of FME to Any Application
Data Virtualization: Bringing the Power of FME to Any ApplicationData Virtualization: Bringing the Power of FME to Any Application
Data Virtualization: Bringing the Power of FME to Any Application
Safe Software
 
Co-Constructing Explanations for AI Systems using Provenance
Co-Constructing Explanations for AI Systems using ProvenanceCo-Constructing Explanations for AI Systems using Provenance
Co-Constructing Explanations for AI Systems using Provenance
Paul Groth
 
Nix(OS) for Python Developers - PyCon 25 (Bologna, Italia)
Nix(OS) for Python Developers - PyCon 25 (Bologna, Italia)Nix(OS) for Python Developers - PyCon 25 (Bologna, Italia)
Nix(OS) for Python Developers - PyCon 25 (Bologna, Italia)
Peter Bittner
 
SDG 9000 Series: Unleashing multigigabit everywhere
SDG 9000 Series: Unleashing multigigabit everywhereSDG 9000 Series: Unleashing multigigabit everywhere
SDG 9000 Series: Unleashing multigigabit everywhere
Adtran
 
Introducing FME Realize: A New Era of Spatial Computing and AR
Introducing FME Realize: A New Era of Spatial Computing and ARIntroducing FME Realize: A New Era of Spatial Computing and AR
Introducing FME Realize: A New Era of Spatial Computing and AR
Safe Software
 
Kubernetes Cloud Native Indonesia Meetup - May 2025
Kubernetes Cloud Native Indonesia Meetup - May 2025Kubernetes Cloud Native Indonesia Meetup - May 2025
Kubernetes Cloud Native Indonesia Meetup - May 2025
Prasta Maha
 
Maxx nft market place new generation nft marketing place
Maxx nft market place new generation nft marketing placeMaxx nft market place new generation nft marketing place
Maxx nft market place new generation nft marketing place
usersalmanrazdelhi
 
UiPath Community Zurich: Release Management and Build Pipelines
UiPath Community Zurich: Release Management and Build PipelinesUiPath Community Zurich: Release Management and Build Pipelines
UiPath Community Zurich: Release Management and Build Pipelines
UiPathCommunity
 
European Accessibility Act & Integrated Accessibility Testing
European Accessibility Act & Integrated Accessibility TestingEuropean Accessibility Act & Integrated Accessibility Testing
European Accessibility Act & Integrated Accessibility Testing
Julia Undeutsch
 
Improving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevExImproving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevEx
Justin Reock
 
Measuring Microsoft 365 Copilot and Gen AI Success
Measuring Microsoft 365 Copilot and Gen AI SuccessMeasuring Microsoft 365 Copilot and Gen AI Success
Measuring Microsoft 365 Copilot and Gen AI Success
Nikki Chapple
 
Multistream in SIP and NoSIP @ OpenSIPS Summit 2025
Multistream in SIP and NoSIP @ OpenSIPS Summit 2025Multistream in SIP and NoSIP @ OpenSIPS Summit 2025
Multistream in SIP and NoSIP @ OpenSIPS Summit 2025
Lorenzo Miniero
 
Introducing the OSA 3200 SP and OSA 3250 ePRC
Introducing the OSA 3200 SP and OSA 3250 ePRCIntroducing the OSA 3200 SP and OSA 3250 ePRC
Introducing the OSA 3200 SP and OSA 3250 ePRC
Adtran
 
Cyber security cyber security cyber security cyber security cyber security cy...
Cyber security cyber security cyber security cyber security cyber security cy...Cyber security cyber security cyber security cyber security cyber security cy...
Cyber security cyber security cyber security cyber security cyber security cy...
pranavbodhak
 
6th Power Grid Model Meetup - 21 May 2025
6th Power Grid Model Meetup - 21 May 20256th Power Grid Model Meetup - 21 May 2025
6th Power Grid Model Meetup - 21 May 2025
DanBrown980551
 
Cybersecurity Fundamentals: Apprentice - Palo Alto Certificate
Cybersecurity Fundamentals: Apprentice - Palo Alto CertificateCybersecurity Fundamentals: Apprentice - Palo Alto Certificate
Cybersecurity Fundamentals: Apprentice - Palo Alto Certificate
VICTOR MAESTRE RAMIREZ
 
Agentic AI - The New Era of Intelligence
Agentic AI - The New Era of IntelligenceAgentic AI - The New Era of Intelligence
Agentic AI - The New Era of Intelligence
Muzammil Shah
 
Fortinet Certified Associate in Cybersecurity
Fortinet Certified Associate in CybersecurityFortinet Certified Associate in Cybersecurity
Fortinet Certified Associate in Cybersecurity
VICTOR MAESTRE RAMIREZ
 
GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...
GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...
GDG Cloud Southlake #43: Tommy Todd: The Quantum Apocalypse: A Looming Threat...
James Anderson
 
Palo Alto Networks Cybersecurity Foundation
Palo Alto Networks Cybersecurity FoundationPalo Alto Networks Cybersecurity Foundation
Palo Alto Networks Cybersecurity Foundation
VICTOR MAESTRE RAMIREZ
 
Data Virtualization: Bringing the Power of FME to Any Application
Data Virtualization: Bringing the Power of FME to Any ApplicationData Virtualization: Bringing the Power of FME to Any Application
Data Virtualization: Bringing the Power of FME to Any Application
Safe Software
 
Co-Constructing Explanations for AI Systems using Provenance
Co-Constructing Explanations for AI Systems using ProvenanceCo-Constructing Explanations for AI Systems using Provenance
Co-Constructing Explanations for AI Systems using Provenance
Paul Groth
 
Nix(OS) for Python Developers - PyCon 25 (Bologna, Italia)
Nix(OS) for Python Developers - PyCon 25 (Bologna, Italia)Nix(OS) for Python Developers - PyCon 25 (Bologna, Italia)
Nix(OS) for Python Developers - PyCon 25 (Bologna, Italia)
Peter Bittner
 

PostgreSQL: Welcome To Total Security

  • 2. 04/25/15 [email protected] 2 Welcome to Total Security The Ideal PostgreSQL DBA ● DBA ● Systems Administration ● Programming ie: C
  • 3. 04/25/15 [email protected] 3 Welcome to Total Security What is Security?
  • 4. 04/25/15 [email protected] 4 Welcome to Total Security About The Demo Environment Server ISO of Ubuntu, minimal installation http://www.ubuntu.com/download/server lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04.2 LTS Release: 14.04 Codename: trusty
  • 5. 04/25/15 [email protected] 5 Welcome to Total Security Confirm nothing is running netstat -tlnp
  • 6. 04/25/15 [email protected] 6 Welcome to Total Security Debian Install Update The Install; apt-get update apt-get dist-upgrade Review Existing Packages dpkg -l apt-cache search postgres | grep -E “^postgresql” | less -S Install PostgreSQL Packages: apt-get install postgresql postgresql-contrib Review Installation (9.3+) pg_lsclusters
  • 7. 04/25/15 [email protected] 7 Welcome to Total Security Source Code Install ($HOME account) SRC: http://www.postgresql.org/ftp/source apt-get install libreadline6-dev zlib1g-dev libssl-dev ./configure –prefix=$HOME/pg93 –with-openssl make install-world Update PATH environment in $HOME: pg_config Create a 2nd cluster: initdb -D $HOME/data93 -U postgres -A trust pg_ctl -D $HOME/data93 -o '-c port=10093 -c unix_socket_directories=/tmp -c logging_collector=on' start
  • 8. 04/25/15 [email protected] 8 Welcome to Total Security Before we continue... What did we just do?
  • 9. 04/25/15 [email protected] 9 Welcome to Total Security Comparision: SRC vs Debian
  • 10. 04/25/15 [email protected] 10 Welcome to Total Security About TCP, DOMAIN socket ports
  • 11. 04/25/15 [email protected] 11 Welcome to Total Security About configuration files: pg_hba.conf postgresql.conf
  • 12. 04/25/15 [email protected] 12 Welcome to Total Security PSQL Sessions
  • 13. 04/25/15 [email protected] 13 Welcome to Total Security About Authentication Authentication Methods * Trust Authentication (pg_hba.conf) * Password Authentication GSSAPI Authentication (Kerberos) SSPI Authentication (ms-windows) Kerberos Authentication (Deprecated) Ident Authentication (Deprecated: pg_ident.conf) * Peer Authentication LDAP Authentication RADIUS Authentication * Certificate Authentication (SSL) PAM Authentication
  • 14. 04/25/15 [email protected] 14 Welcome to Total Security About Host Based Authentication: pg_hba.conf
  • 15. 04/25/15 [email protected] 15 Welcome to Total Security About ROLES One Approach Among Many
  • 16. 04/25/15 [email protected] 16 Welcome to Total Security About ROLES DEFINING THE TYPES OF ROLES - superuser (postgres) - database owner - relations owner - role_rw (nologin) - user account roles (with login) - application, client, processes - sys administrators
  • 17. 04/25/15 [email protected] 17 Welcome to Total Security About ROLES CREATING THE GENERIC ROLES create role db_owner with nologin; create role db with nologin; create role db_rw with nologin; comment on role db_owner is 'The owner of the database db'; comment on role db is 'The owner of the relations on database db'; comment on role db_rw is 'The role executing all DML operations';
  • 18. 04/25/15 [email protected] 18 Welcome to Total Security About ROLES CREATE USERS create role robertbernier with login Inherit Password '123' valid until '31 dec 2017' in role db_owner, db, db_rw; create role user1 with login inherit password '123' valid until '31 dec 2017' -- Do we really want this ROLE to expire? in role db_rw; comment on role robertbernier is 'user account assigned as administrator'; comment on role user1 is 'user account for the client application(s)';
  • 19. 04/25/15 [email protected] 19 Welcome to Total Security About The Database ---------------------------------------------------- create database db with owner db_owner; comment on database db is 'our working demo database'; ---------------------------------------------------- c db drop schema public; create schema db authorization db; comment on schema db is 'this is where all the relations go'; alter database db set search_path='db';
  • 20. 04/25/15 [email protected] 20 Welcome to Total Security About The Demo Tables set ON_ERROR_STOP on set role db; create table t1 ( id serial primary key, x float not null default random(), t_stamp timestamp not null default now() ); create table t2(like t1 including all); create table t3(like t1 including all); insert into t1 default values; insert into t1 default values; insert into t1 default values; insert into t2 default values; insert into t2 default values; insert into t2 default values; insert into t3 default values; insert into t3 default values; insert into t3 default values;
  • 21. 04/25/15 [email protected] 21 Welcome to Total Security About The Demo Tables ---------------------------------------------------- SET PRIVILEGES grant usage on schema db to db_rw; grant select, insert, update, delete on all tables in schema db to db_rw; grant usage on all sequences in schema db to db_rw; ---------------------------------------------------- VALIDATE PERMISSIONS set role user1; insert into t1 default values; insert into t2 default values; insert into t3 default values; table t1; table t2; table t3; CAVEAT: privileges must be declared for all new relations.
  • 22. 04/25/15 [email protected] 22 Welcome to Total Security About The Demo Tables CONNECTION ATTEMPTS There's a double layer of authentication going on: - SQL PRIVILEGES - pg_hba.conf CAVEAT: This configuration prevents the superuser to login as the other user accounts. But he can still SET ROLE.
  • 23. 04/25/15 [email protected] 23 Welcome to Total Security About CERTIFICATES
  • 24. 04/25/15 [email protected] 24 Welcome to Total Security About CERTIFICATES, 1/2 # CREATE THE CERTIFICATE AUTHORITY (answer the questions) /usr/lib/ssl/misc/CA.pl -newca # CREATE A PRIVATE KEY, CRT REQUEST FOR POSTGRES SERVER /usr/lib/ssl/misc/CA.pl -newreq # SIGN THE CERTIFICATE REQUEST FOR POSTGRES CLIENT /usr/lib/ssl/misc/CA.pl -sign # RENAME KEY AND CERTIFICATE FOR POSTGRES CLIENT mv newreq.pem robertbernier_req.pem mv newkey.pem robertbernier_key.pem mv newcert.pem robertbernier_crt.pem # CREATE A PRIVATE KEY, CRT REQUEST FOR POSTGRES SERVER /usr/lib/ssl/misc/CA.pl -newreq # SIGN THE CERTIFICATE REQUEST FOR POSTGRES SERVER /usr/lib/ssl/misc/CA.pl -sign
  • 25. 04/25/15 [email protected] 25 Welcome to Total Security About CERTIFICATES, 2/2 # RENAME KEY AND CERTIFICATE FOR POSTGRES SERVER mv newreq.pem postgres_req.pem mv newkey.pem postgres_key.pem mv newcert.pem postgres_crt.pem # UNLOCK KEYS / REMOVE PASSPHRASE openssl rsa -in robertbernier_key -out robertbernier.key openssl rsa -in postgres_key.pem -out postgres.key # INSTALL SERVER CERTIFICATE (you can still use snake oil as server certificate but client cannot validate server) # EDIT, postgresql.conf: ssl_key_file = '/etc/postgresql/9.3/main/cacert.pem' cp cacert.pem /etc/postgresql/9.3/main/ # INSTALL CLIENT CERTIFICATES (ROLE: "robertbernier", DIR: ".postgresql") cp robertbernier.key ~/.postgresql/postgresql.key cp robertbernier_crt.pem ~/.postgresql/postgresql.crt NOTE, alternate login: (works with any account via tcpip sockets) psql 'host=localhost dbname=db user=robertbernier sslcert=robertbernier_crt.pem sslkey=robertbernier.key' # CERTIFICATE PROPERTIES openssl x509 -purpose -inform PE -in ./demoCA/cacert.pem 2>&1 |less openssl x509 -purpose -inform PE -in robertbernier_crt.pem 2>&1 |less openssl x509 -purpose -inform PE -in postgres_crt.pem 2>&1 |less
  • 26. 04/25/15 [email protected] 26 Welcome to Total Security About DATA ENCRYPTION
  • 27. 04/25/15 [email protected] 27 Welcome to Total Security About DATA ENCRYPTION select * from pg_available_extensions; create extension pgcrypto; df -- functions of interest pgp_pub_encrypt() pgp_pub_decrypt()
  • 28. 04/25/15 [email protected] 28 Welcome to Total Security About DATA ENCRYPTION ABOUT PGP (Pretty Good Privacy) GPG (GNU Privacy Guard) ---------------------------------------------------- USING GPG UNIX account: robertbernier@LinuxFest ------------- gpg --gen-key ------------- gpg --list-secret-keys sec 2048R/91E94413 2015-03-14 uid Robert Bernier (DBA/Architect) <[email protected]> ssb 2048R/5E58CCAA 2015-03-14 ------------- REMOVE PASSPHRASE FROM PRIVATE KEY RETURN BLANK WHEN ASKED TO CHANGE PASSWORD gpg --edit-key 5E58CCAA # getting the keys gpg -a --export 5E58CCAA |less gpg -a --export-secret-keys 5E58CCAA | less
  • 29. 04/25/15 [email protected] 29 Welcome to Total Security WORKING WITH ENCRYPTED DATA SETUP DATABASE create table gpg ( id serial primary key, type varchar, key text ); create table confidential ( id serial primary key, message varchar, message_encrypted varchar ); ------------------------------------------------------ ( #!/bin/bash set -e SECRET="$(gpg --list-secret-keys | grep -E "^sec" | cut -d / -f 2 | cut -d ' ' -f 1)" PUBLIC=$(gpg -a --export $SECRET) PRIVATE=$(gpg -a --export-secret-keys $SECRET) psql db <<_eof_ insert into gpg(type,key) values ('public','$PUBLIC'); insert into gpg(type,key) values ('private','$PRIVATE'); _eof_ )
  • 30. 04/25/15 [email protected] 30 Welcome to Total Security WORKING WITH ENCRYPTED DATA ENCRYPT/DECRYPT DATA -- encrypt with a(msg) as (values('my secret message')), b as (select msg, pgp_pub_encrypt(msg,dearmor(key)) as msg_e from gpg,a where type='public') insert into confidential(message,message_encrypted) select msg, msg_e from b; -- decrypt with a as (select dearmor(key) from gpg where type='private') select id, pgp_pub_decrypt(message_encrypted::bytea,dearmor), md5(message_encrypted) encrypted_checksum from confidential,a ;
  • 31. 04/25/15 [email protected] 31 Welcome to Total Security WORKING WITH ENCRYPTED DATA
  • 32. 04/25/15 [email protected] 32 Welcome to Total Security Demo: Tables                     Table "db.t1_mb"   Column  | Type  |              Modifiers ­­­­­­­­­­+­­­­­­­+­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­  uuid     | uuid  | not null default uuid_generate_v4()  uuid_enc | bytea |  passage  | text  | Indexes:     "t1_mb_pkey" PRIMARY KEY, btree (uuid) Referenced by:     TABLE "t2_mb" CONSTRAINT "t2_mb_uuid_fkey" FOREIGN KEY (uuid) REFERENCES  t1_mb(uuid)                             Table "db.t2_mb"   Column  |  Type   |                     Modifiers ­­­­­­­­­­+­­­­­­­­­+­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­  id       | integer | not null default nextval('t2_mb_id_seq'::regclass)  uuid     | uuid    |  uuid_enc | bytea   | Indexes:     "t2_mb_pkey" PRIMARY KEY, btree (id)     "t2_mb_f_wrapper_idx" UNIQUE, btree (f_wrapper(uuid_enc))     "t2_mb_uuid_idx" btree (uuid) Foreign­key constraints:     "t2_mb_uuid_fkey" FOREIGN KEY (uuid) REFERENCES t1_mb(uuid)
  • 33. 04/25/15 [email protected] 33 Welcome to Total Security Demo: FUNCTIONS CREATE OR REPLACE FUNCTION f_private_key (     OUT key bytea ) AS $$ BEGIN ­­ bytea, escape encoded, private key is shortened key='x95039804550466450108....'; END; $$ LANGUAGE PLPGSQL IMMUTABLE; CREATE OR REPLACE FUNCTION f_wrapper (     IN  a BYTEA,     OUT b TEXT ) AS $$ BEGIN     b=pgp_pub_decrypt(a,f_private_key()); END; $$ LANGUAGE PLPGSQL IMMUTABLE;
  • 34. 04/25/15 [email protected] 34 Welcome to Total Security Demo: FUNCTIONAL INDEXES CREATE [ UNIQUE ] INDEX [ CONCURRENTLY ] [ name ] ON table [ USING method ]     ( { column | ( expression ) } [ opclass ] [ ASC | DESC ] [ NULLS { FIRST |  LAST } ] [, ...] )     [ WITH ( storage_parameter = value [, ... ] ) ]     [ TABLESPACE tablespace ]     [ WHERE predicate ]
  • 35. 04/25/15 [email protected] 35 Welcome to Total Security Demo: Indexes ­­ unencrypted column create index on t2_mb(uuid); ­­ encrypted column, functional index create unique index on t2_mb(f_wrapper(uuid_enc));
  • 36. 04/25/15 [email protected] 36 Welcome to Total Security TYPE QUERY TIME COMMENTS Unencrypted 00.05ms Pulling out one record at a time Encrypted 00.05ms Unencrypted 14.00ms Join on column “uuid” Encrypted 6,800ms Encrypted 23.00ms explain analyze select id, passage from t2_mb,t1_mb where t2_mb.uuid='018cf2e7-ef0f-483d-8221-80c0d538632a'; explain analyze select id, passage from t2_mb,t1_mb where f_wrapper(t2_mb.uuid_enc)='018cf2e7-ef0f-483d-8221-80c0d538632a'; explain analyze select id, passage from t1_mb join t2_mb on t1_mb.uuid=t2_mb.uuid order by id asc; explain analyze select id, passage from t2_mb join t1_mb on f_wrapper(t2_mb.uuid_enc)=t1_mb.uuid::text order by id asc; The functional index isn't being used, this is a postgres bug with the planner explain analyze select id, passage from t2_mb join t1_mb on f_wrapper(t2_mb.uuid_enc)=t1_mb.uuid::text order by id asc; The functional index works! Set the following runtime environment variables before executing the query: set enable_hashjoin to off; set enable_mergejoin to off;
  • 37. 04/25/15 [email protected] 37 Welcome to Total Security REFERENCES ● http://www.postgresql.org/docs/9.3/static/index.html ● http://www.postgresql.org/docs/9.3/static/pgcrypto.html ● https://www.openssl.org/docs/apps/CA.pl.html ● https://www.gnupg.org/ ● Functional Indexes http://www.postgresql.org/message-id/[email protected]
  • 38. 04/25/15 [email protected] 38 Welcome to Total Security The End

Download presentation

Your download has started