PostgreSQL: Encrypt Column With pgcrypto

有些话、适合烂在心里 提交于 2019-12-04 04:16:29

Secret storage is a common issue when using crypto mecanisms.

pgcrypto does not povide key storage, you are free to store the key where you want and protect it as you can.

Storing the key in another database, if managed by the same DBA does not provide much security as DBA may access it the same way.

Ideally, you would store the key in a secure vault and request it from your application in order to construct the queries. It will still be visible from DBA while the request is running through select * from pg_stat_activity.

You may set the key for a SQL session wide use through set session my.vars.cryptokey = 'secret'; then use it into your queries with the following syntax : current_setting('my.vars.cryptokey')::text

To be (almost) transparent from the application point of view, PostgreSQL rules may help for translating secure_column to the call to decrypt function with the session stored key. For inserting, a pre-insert trigger would be required.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!