PGCon2019 - 3.4

PGCon 2019
The PostgreSQL Conference

Speakers
Masahiko Sawada
Schedule
Day Talks - Day 2 - 2019-05-31
Room DMS 1110
Start time 11:00
Duration 00:45
Info
ID 1325
Event type Other
Track Hacking
Language used for presentation English
Feedback

Transparent data at rest encryption in PostgreSQL

Data encryption is one of the powerful methods to protect data from threats such as eavesdropping and theft. It is essential when storing confidential information such as credit card numbers, personal information of users, etc. Also, various data protection standards and regulations such as PCI DSS, GDPR, etc. require it.

We have been researching how to make PostgreSQL more secure by implementing the built-in transparent data encryption for PostgreSQL. In this talk I will first introduce some studies about database encryption. Then, I'll provide some internal details of the implementing transparent data encryption and the performance evaluation result of the PoC based on our solution. It also covers the robust encryption key management, which is another important feature for data encryption.

Various data protection standards and regulations such as PCI DSS, GDPR, etc. requires data encryption. There are methods to encrypt data stored in PostgreSQL, such as pgcrypto and file system level encryption using LUKS. However they don't satisfy the following properties of database encryption that are required by user and some security standards in practice:

  • Transparent data encryption (TDE)
  • Minimize performance impact
  • Platform-independence

We have been researching the built-in database encryption for PostgreSQL. Our solution consists of per-tablespace transparent data encryption while keeping minimize performance impact. We made a proof-of-concept code to evaluate our solution's usability and impact on the performance.

In this talk, I will discuss about the principles of confidential information protection and database encryption methods. Then, I'll provide some internal details of built-in transparent data encryption of PostgreSQL and the evaluation results. It also covers the robust encryption key management, which is another important feature for data encryption.