postgresql instance encryption: more database security
TRANSCRIPT
Full PostgreSQL instance encryption
Hans-Jürgen Schönigwww.postgresql-support.de
Hans-Jürgen Schönigwww.postgresql-support.de
First of all
Hans-Jürgen Schönigwww.postgresql-support.de
Did . . .
Did everybody have a good time in Tallinn?
Hans-Jürgen Schönigwww.postgresql-support.de
Introduction
Hans-Jürgen Schönigwww.postgresql-support.de
Cybertec Schönig & Schönig GmbH
I 24x7 support for PostgreSQLI PostgreSQL trainingI PostgreSQL consulting
Hans-Jürgen Schönigwww.postgresql-support.de
Get more out of PostgreSQL
Hans-Jürgen Schönigwww.postgresql-support.de
PostgreSQL features
I PostgreSQL provides many featuresI Many “Enterprise” features are available
I e.g. replication, analytics, etc.
Hans-Jürgen Schönigwww.postgresql-support.de
Missing stuff
I Nothing is feature completeI Once in a while everybody finds missing parts
Hans-Jürgen Schönigwww.postgresql-support.de
Sponsoring vs. licensing
I Remember, PostgreSQL is Open SourceI Sponsoring a feature is often cheaper than buying commercial
licensesI No need to chain yourself to a commercial vendor
Hans-Jürgen Schönigwww.postgresql-support.de
Database encryption: An example
Hans-Jürgen Schönigwww.postgresql-support.de
Specific customer requirements
I Customer could only provide encryption based on expensivecommercial software
I Encryption is needed to fulfill legal and internal requirements
Hans-Jürgen Schönigwww.postgresql-support.de
Making it work
I Implement highly optimized code to handle encryption on theblock level in PostgreSQL
I Totally transparent to the end userI Keys can be stored in a key store of your choice
Hans-Jürgen Schönigwww.postgresql-support.de
What it does
I We encrypt:I TablesI IndexesI Temporary filesI Full WAL encryptionI Commit Log (clog)I More stuff: Subtransaction directories, MultiXact . . .
I What we do not encrypt (yet):I pg_stat_statements, logical replication buffers, control data (on
purpose)
Hans-Jürgen Schönigwww.postgresql-support.de
Encryption technology
I Extensible mechanismI Included in pgcrypto: AES-XTS 128I Future versions will use Intel hardware support
I Current prototype does 4 GB / sec per core !
Hans-Jürgen Schönigwww.postgresql-support.de
Good news
I We all got encryption nowI Not yet in core but available to end users already with full
professional supportI Patch on hackers
I Anybody willing to feedback?
Hans-Jürgen Schönigwww.postgresql-support.de
Commercial success
I Writing code + integrating was cheaper than just integratingcommercial stuff
I Makes sense for everybodyI CustomerI Community
Hans-Jürgen Schönigwww.postgresql-support.de
What we learn from this
I Have the guts and the conviction to do what is rightI Think for yourself
I Find solutions to YOUR problemsI Do not change your requirements just because some commercial
vendor forces you to do so
I Benefit from Open SourceI Invest wisely
Hans-Jürgen Schönigwww.postgresql-support.de
Where can we get the code?
I Our website has the code:I http://www.cybertec.at/en/products/postgresql-instance-
level-encryption/I It is under PostgreSQL license
Hans-Jürgen Schönigwww.postgresql-support.de
Finally
Hans-Jürgen Schönigwww.postgresql-support.de
Any questions?
I Feel free to ask
Hans-Jürgen Schönigwww.postgresql-support.de
Contact us
Cybertec Schönig & Schönig GmbH
Email: [email protected]: www.postgresql-support.deFollow us on Twitter: @PostgresSupport
Hans-Jürgen Schönigwww.postgresql-support.de