Submit Search
Upload
Transparent Data Encryption in PostgreSQL
•
6 likes
•
10,107 views
Masahiko Sawada
Follow
Talk at PGCon 2019
Read less
Read more
Software
Report
Share
Report
Share
1 of 38
Download now
Download to read offline
Recommended
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Masahiko Sawada
MySQL Data Encryption at Rest
MySQL Data Encryption at Rest
Mydbops
PostgreSQL major version upgrade using built in Logical Replication
PostgreSQL major version upgrade using built in Logical Replication
Atsushi Torikoshi
Amazon RDS with Amazon Aurora | AWS Public Sector Summit 2016
Amazon RDS with Amazon Aurora | AWS Public Sector Summit 2016
Amazon Web Services
Problems with PostgreSQL on Multi-core Systems with MultiTerabyte Data
Problems with PostgreSQL on Multi-core Systems with MultiTerabyte Data
Jignesh Shah
MySQL Enterprise Backup (MEB)
MySQL Enterprise Backup (MEB)
Mydbops
Mysql security 5.7
Mysql security 5.7
Mark Swarbrick
PostgreSQL Replication High Availability Methods
PostgreSQL Replication High Availability Methods
Mydbops
Recommended
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Masahiko Sawada
MySQL Data Encryption at Rest
MySQL Data Encryption at Rest
Mydbops
PostgreSQL major version upgrade using built in Logical Replication
PostgreSQL major version upgrade using built in Logical Replication
Atsushi Torikoshi
Amazon RDS with Amazon Aurora | AWS Public Sector Summit 2016
Amazon RDS with Amazon Aurora | AWS Public Sector Summit 2016
Amazon Web Services
Problems with PostgreSQL on Multi-core Systems with MultiTerabyte Data
Problems with PostgreSQL on Multi-core Systems with MultiTerabyte Data
Jignesh Shah
MySQL Enterprise Backup (MEB)
MySQL Enterprise Backup (MEB)
Mydbops
Mysql security 5.7
Mysql security 5.7
Mark Swarbrick
PostgreSQL Replication High Availability Methods
PostgreSQL Replication High Availability Methods
Mydbops
MySQL GTID Concepts, Implementation and troubleshooting
MySQL GTID Concepts, Implementation and troubleshooting
Mydbops
Always on in sql server 2017
Always on in sql server 2017
Gianluca Hotz
Database migration from Sybase ASE to PostgreSQL @2013.pgconf.eu
Database migration from Sybase ASE to PostgreSQL @2013.pgconf.eu
aldaschwede80
MySQL Performance Schema in Action
MySQL Performance Schema in Action
Sveta Smirnova
MySQL Database Architectures - MySQL InnoDB ClusterSet 2021-11
MySQL Database Architectures - MySQL InnoDB ClusterSet 2021-11
Kenny Gryp
Mastering PostgreSQL Administration
Mastering PostgreSQL Administration
EDB
Oracle Database in-Memory Overivew
Oracle Database in-Memory Overivew
Maria Colgan
How YugaByte DB Implements Distributed PostgreSQL
How YugaByte DB Implements Distributed PostgreSQL
Yugabyte
Lucene basics
Lucene basics
Nitin Pande
NoSql
NoSql
Girish Khanzode
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best Practices
MariaDB plc
ProxySQL - High Performance and HA Proxy for MySQL
ProxySQL - High Performance and HA Proxy for MySQL
René Cannaò
Getting started with postgresql
Getting started with postgresql
botsplash.com
Backup And Recovery
Backup And Recovery
raghu_designer
Highly efficient backups with percona xtrabackup
Highly efficient backups with percona xtrabackup
Nilnandan Joshi
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
Severalnines
MySQL Database Architectures - 2022-08
MySQL Database Architectures - 2022-08
Kenny Gryp
Bloat and Fragmentation in PostgreSQL
Bloat and Fragmentation in PostgreSQL
Masahiko Sawada
Intro to HBase
Intro to HBase
alexbaranau
Oracle RAC 19c and Later - Best Practices #OOWLON
Oracle RAC 19c and Later - Best Practices #OOWLON
Markus Michalewicz
Why Disk Level Encryption is Not Enough for Your IBM i
Why Disk Level Encryption is Not Enough for Your IBM i
Precisely
Transparent Encryption in HDFS
Transparent Encryption in HDFS
DataWorks Summit
More Related Content
What's hot
MySQL GTID Concepts, Implementation and troubleshooting
MySQL GTID Concepts, Implementation and troubleshooting
Mydbops
Always on in sql server 2017
Always on in sql server 2017
Gianluca Hotz
Database migration from Sybase ASE to PostgreSQL @2013.pgconf.eu
Database migration from Sybase ASE to PostgreSQL @2013.pgconf.eu
aldaschwede80
MySQL Performance Schema in Action
MySQL Performance Schema in Action
Sveta Smirnova
MySQL Database Architectures - MySQL InnoDB ClusterSet 2021-11
MySQL Database Architectures - MySQL InnoDB ClusterSet 2021-11
Kenny Gryp
Mastering PostgreSQL Administration
Mastering PostgreSQL Administration
EDB
Oracle Database in-Memory Overivew
Oracle Database in-Memory Overivew
Maria Colgan
How YugaByte DB Implements Distributed PostgreSQL
How YugaByte DB Implements Distributed PostgreSQL
Yugabyte
Lucene basics
Lucene basics
Nitin Pande
NoSql
NoSql
Girish Khanzode
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best Practices
MariaDB plc
ProxySQL - High Performance and HA Proxy for MySQL
ProxySQL - High Performance and HA Proxy for MySQL
René Cannaò
Getting started with postgresql
Getting started with postgresql
botsplash.com
Backup And Recovery
Backup And Recovery
raghu_designer
Highly efficient backups with percona xtrabackup
Highly efficient backups with percona xtrabackup
Nilnandan Joshi
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
Severalnines
MySQL Database Architectures - 2022-08
MySQL Database Architectures - 2022-08
Kenny Gryp
Bloat and Fragmentation in PostgreSQL
Bloat and Fragmentation in PostgreSQL
Masahiko Sawada
Intro to HBase
Intro to HBase
alexbaranau
Oracle RAC 19c and Later - Best Practices #OOWLON
Oracle RAC 19c and Later - Best Practices #OOWLON
Markus Michalewicz
What's hot
(20)
MySQL GTID Concepts, Implementation and troubleshooting
MySQL GTID Concepts, Implementation and troubleshooting
Always on in sql server 2017
Always on in sql server 2017
Database migration from Sybase ASE to PostgreSQL @2013.pgconf.eu
Database migration from Sybase ASE to PostgreSQL @2013.pgconf.eu
MySQL Performance Schema in Action
MySQL Performance Schema in Action
MySQL Database Architectures - MySQL InnoDB ClusterSet 2021-11
MySQL Database Architectures - MySQL InnoDB ClusterSet 2021-11
Mastering PostgreSQL Administration
Mastering PostgreSQL Administration
Oracle Database in-Memory Overivew
Oracle Database in-Memory Overivew
How YugaByte DB Implements Distributed PostgreSQL
How YugaByte DB Implements Distributed PostgreSQL
Lucene basics
Lucene basics
NoSql
NoSql
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best Practices
ProxySQL - High Performance and HA Proxy for MySQL
ProxySQL - High Performance and HA Proxy for MySQL
Getting started with postgresql
Getting started with postgresql
Backup And Recovery
Backup And Recovery
Highly efficient backups with percona xtrabackup
Highly efficient backups with percona xtrabackup
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
MySQL Database Architectures - 2022-08
MySQL Database Architectures - 2022-08
Bloat and Fragmentation in PostgreSQL
Bloat and Fragmentation in PostgreSQL
Intro to HBase
Intro to HBase
Oracle RAC 19c and Later - Best Practices #OOWLON
Oracle RAC 19c and Later - Best Practices #OOWLON
Similar to Transparent Data Encryption in PostgreSQL
Why Disk Level Encryption is Not Enough for Your IBM i
Why Disk Level Encryption is Not Enough for Your IBM i
Precisely
Transparent Encryption in HDFS
Transparent Encryption in HDFS
DataWorks Summit
DatEngConf SF16 - Apache Kudu: Fast Analytics on Fast Data
DatEngConf SF16 - Apache Kudu: Fast Analytics on Fast Data
Hakka Labs
InnoDB Tablespace Encryption
InnoDB Tablespace Encryption
Satya Bodapati
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
Imperva Incapsula
Accelerate and Scale Big Data Analytics with Disaggregated Compute and Storage
Accelerate and Scale Big Data Analytics with Disaggregated Compute and Storage
Alluxio, Inc.
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
Neo4j
Big Data Security in Apache Projects by Gidon Gershinsky
Big Data Security in Apache Projects by Gidon Gershinsky
GidonGershinsky
Advanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona Server
Severalnines
Data Security at Scale through Spark and Parquet Encryption
Data Security at Scale through Spark and Parquet Encryption
Databricks
Kudu: Fast Analytics on Fast Data
Kudu: Fast Analytics on Fast Data
michaelguia
Blbs tn-double-the-power-half-the-space-uslet-en
Blbs tn-double-the-power-half-the-space-uslet-en
Bloombase
Maaz Anjum - IOUG Collaborate 2013 - An Insight into Space Realization on ODA...
Maaz Anjum - IOUG Collaborate 2013 - An Insight into Space Realization on ODA...
Maaz Anjum
Feature rich BTRFS is Getting Richer with Encryption
Feature rich BTRFS is Getting Richer with Encryption
LF Events
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011
Scott Carlson
Engineering an Encrypted Storage Engine
Engineering an Encrypted Storage Engine
MongoDB
Oracle Performance On Linux X86 systems
Oracle Performance On Linux X86 systems
Baruch Osoveskiy
The Pendulum Swings Back: Converged and Hyperconverged Environments
The Pendulum Swings Back: Converged and Hyperconverged Environments
Tony Pearson
NTTドコモ様 導入事例 OpenStack Summit 2015 Tokyo 講演「After One year of OpenStack Cloud...
NTTドコモ様 導入事例 OpenStack Summit 2015 Tokyo 講演「After One year of OpenStack Cloud...
VirtualTech Japan Inc.
Introduction to MySQL Cluster
Introduction to MySQL Cluster
Abel Flórez
Similar to Transparent Data Encryption in PostgreSQL
(20)
Why Disk Level Encryption is Not Enough for Your IBM i
Why Disk Level Encryption is Not Enough for Your IBM i
Transparent Encryption in HDFS
Transparent Encryption in HDFS
DatEngConf SF16 - Apache Kudu: Fast Analytics on Fast Data
DatEngConf SF16 - Apache Kudu: Fast Analytics on Fast Data
InnoDB Tablespace Encryption
InnoDB Tablespace Encryption
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
Accelerate and Scale Big Data Analytics with Disaggregated Compute and Storage
Accelerate and Scale Big Data Analytics with Disaggregated Compute and Storage
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
Big Data Security in Apache Projects by Gidon Gershinsky
Big Data Security in Apache Projects by Gidon Gershinsky
Advanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona Server
Data Security at Scale through Spark and Parquet Encryption
Data Security at Scale through Spark and Parquet Encryption
Kudu: Fast Analytics on Fast Data
Kudu: Fast Analytics on Fast Data
Blbs tn-double-the-power-half-the-space-uslet-en
Blbs tn-double-the-power-half-the-space-uslet-en
Maaz Anjum - IOUG Collaborate 2013 - An Insight into Space Realization on ODA...
Maaz Anjum - IOUG Collaborate 2013 - An Insight into Space Realization on ODA...
Feature rich BTRFS is Getting Richer with Encryption
Feature rich BTRFS is Getting Richer with Encryption
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011
Engineering an Encrypted Storage Engine
Engineering an Encrypted Storage Engine
Oracle Performance On Linux X86 systems
Oracle Performance On Linux X86 systems
The Pendulum Swings Back: Converged and Hyperconverged Environments
The Pendulum Swings Back: Converged and Hyperconverged Environments
NTTドコモ様 導入事例 OpenStack Summit 2015 Tokyo 講演「After One year of OpenStack Cloud...
NTTドコモ様 導入事例 OpenStack Summit 2015 Tokyo 講演「After One year of OpenStack Cloud...
Introduction to MySQL Cluster
Introduction to MySQL Cluster
More from Masahiko Sawada
PostgreSQL 15の新機能を徹底解説
PostgreSQL 15の新機能を徹底解説
Masahiko Sawada
行ロックと「LOG: process 12345 still waiting for ShareLock on transaction 710 afte...
行ロックと「LOG: process 12345 still waiting for ShareLock on transaction 710 afte...
Masahiko Sawada
PostgreSQL 15 開発最新情報
PostgreSQL 15 開発最新情報
Masahiko Sawada
Vacuum徹底解説
Vacuum徹底解説
Masahiko Sawada
PostgreSQL 12の話
PostgreSQL 12の話
Masahiko Sawada
OSS活動のやりがいとそれから得たもの - PostgreSQLコミュニティにて -
OSS活動のやりがいとそれから得たもの - PostgreSQLコミュニティにて -
Masahiko Sawada
Database Encryption and Key Management for PostgreSQL - Principles and Consid...
Database Encryption and Key Management for PostgreSQL - Principles and Consid...
Masahiko Sawada
今秋リリース予定のPostgreSQL11を徹底解説
今秋リリース予定のPostgreSQL11を徹底解説
Masahiko Sawada
Vacuum more efficient than ever
Vacuum more efficient than ever
Masahiko Sawada
Vacuumとzheap
Vacuumとzheap
Masahiko Sawada
アーキテクチャから理解するPostgreSQLのレプリケーション
アーキテクチャから理解するPostgreSQLのレプリケーション
Masahiko Sawada
Parallel Vacuum
Parallel Vacuum
Masahiko Sawada
PostgreSQLでスケールアウト
PostgreSQLでスケールアウト
Masahiko Sawada
OSS 開発ってどうやっているの? ~ PostgreSQL の現場から~
OSS 開発ってどうやっているの? ~ PostgreSQL の現場から~
Masahiko Sawada
PostgreSQL10徹底解説
PostgreSQL10徹底解説
Masahiko Sawada
FDW-based Sharding Update and Future
FDW-based Sharding Update and Future
Masahiko Sawada
What’s new in 9.6, by PostgreSQL contributor
What’s new in 9.6, by PostgreSQL contributor
Masahiko Sawada
PostgreSQL 9.6 新機能紹介
PostgreSQL 9.6 新機能紹介
Masahiko Sawada
pg_bigmと類似度検索
pg_bigmと類似度検索
Masahiko Sawada
pg_bigmを触り始めた人に伝えたいこと
pg_bigmを触り始めた人に伝えたいこと
Masahiko Sawada
More from Masahiko Sawada
(20)
PostgreSQL 15の新機能を徹底解説
PostgreSQL 15の新機能を徹底解説
行ロックと「LOG: process 12345 still waiting for ShareLock on transaction 710 afte...
行ロックと「LOG: process 12345 still waiting for ShareLock on transaction 710 afte...
PostgreSQL 15 開発最新情報
PostgreSQL 15 開発最新情報
Vacuum徹底解説
Vacuum徹底解説
PostgreSQL 12の話
PostgreSQL 12の話
OSS活動のやりがいとそれから得たもの - PostgreSQLコミュニティにて -
OSS活動のやりがいとそれから得たもの - PostgreSQLコミュニティにて -
Database Encryption and Key Management for PostgreSQL - Principles and Consid...
Database Encryption and Key Management for PostgreSQL - Principles and Consid...
今秋リリース予定のPostgreSQL11を徹底解説
今秋リリース予定のPostgreSQL11を徹底解説
Vacuum more efficient than ever
Vacuum more efficient than ever
Vacuumとzheap
Vacuumとzheap
アーキテクチャから理解するPostgreSQLのレプリケーション
アーキテクチャから理解するPostgreSQLのレプリケーション
Parallel Vacuum
Parallel Vacuum
PostgreSQLでスケールアウト
PostgreSQLでスケールアウト
OSS 開発ってどうやっているの? ~ PostgreSQL の現場から~
OSS 開発ってどうやっているの? ~ PostgreSQL の現場から~
PostgreSQL10徹底解説
PostgreSQL10徹底解説
FDW-based Sharding Update and Future
FDW-based Sharding Update and Future
What’s new in 9.6, by PostgreSQL contributor
What’s new in 9.6, by PostgreSQL contributor
PostgreSQL 9.6 新機能紹介
PostgreSQL 9.6 新機能紹介
pg_bigmと類似度検索
pg_bigmと類似度検索
pg_bigmを触り始めた人に伝えたいこと
pg_bigmを触り始めた人に伝えたいこと
Recently uploaded
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Bert Jan Schrijver
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
The title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
Jittipong Loespradit
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
masabamasaba
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
masabamasaba
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
HimanshiGarg82
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
Shane Coughlan
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
masabamasaba
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
AnnaArtyushina1
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
masabamasaba
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
WSO2
Recently uploaded
(20)
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
The title is not connected to what is inside
The title is not connected to what is inside
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
Transparent Data Encryption in PostgreSQL
1.
Copyright©2019 NTT Corp.
All Rights Reserved. Transparent Data Encryption in PostgreSQL NTT Open Source Software Center Masahiko Sawada PGCon 2019
2.
2Copyright©2019 NTT Corp.
All Rights Reserved. • Database servers are often the primary target of the following attacks • Privilege abuse • Database SQL injections attacks • Storage media theft • Eavesdropping attacks between client and server • etc. Database Security Threats DB administratorApplications Database server Eavesdropping attacks SQL injections Privilege abuse Physical storage theft
3.
3Copyright©2019 NTT Corp.
All Rights Reserved. Encryption Database Server Application Server
4.
4Copyright©2019 NTT Corp.
All Rights Reserved. • Protect data from attacks bypassing database access control layer(ACL) • Read database file directly • Taking a backup • Doesn’t protect from attacks by malicious “privileged” users • SELECT SQL command by superuser • Data is not encrypted while being used • On shared buffer, on network • Often implements as transparent data encryption(TDE) Data at rest Encryption
5.
5Copyright©2019 NTT Corp.
All Rights Reserved. • Full disk encryption (e.g. dmcrypt) is platform dependent • Doesn’t protect data from logged-in OS users How About Full Disk Encryption?
6.
6Copyright©2019 NTT Corp.
All Rights Reserved. • Provide set of cryptographic functions • A convenient tool But, • Not transparent to users • Need to modify SQL, application code • Triggers and views help • Could be a cause of performance overhead • Data needs to be decrypted every time it is accessed How About contrib/pgcrypto?
7.
7Copyright©2019 NTT Corp.
All Rights Reserved. Transparent Data Encryption in PostgreSQL
8.
8Copyright©2019 NTT Corp.
All Rights Reserved. Per tablespace encryption • CREATE TABLESPACE enctblsp ... WITH (encryption = on); • Fine grained control • Specified table and its indexes, TOAST table and WAL are transparently encrypted • Also encrypt other objects such as system catalogs and temporary files • Under discussion on pgsql-hackers • [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) Proposal
9.
9Copyright©2019 NTT Corp.
All Rights Reserved. PostgreSQL I/O Architecture postgres Shared Buffer Disk postgres postgres Page Cache (Kernel) raw block data
10.
10Copyright©2019 NTT Corp.
All Rights Reserved. PostgreSQL I/O Architecture postgres Disk postgres postgres Page Cache (Kernel) raw block data Shared Buffer Backend processes read pages from the shared buffers and modify them.
11.
11Copyright©2019 NTT Corp.
All Rights Reserved. PostgreSQL I/O Architecture postgres Disk postgres postgres Page Cache (Kernel) raw block data Shared Buffer bgwriter periodically writes the dirty pages out to the kernel page cache.
12.
12Copyright©2019 NTT Corp.
All Rights Reserved. PostgreSQL I/O Architecture postgres Disk postgres postgres raw block data Shared Buffer Page Cache (Kernel) Dirty pages are flushed to the disk by the checkpointer or the kernel.
13.
13Copyright©2019 NTT Corp.
All Rights Reserved. Buffer Level Encryption (our solution) postgres Shared Buffer Disk Pros: • Relatively less execution of encryption and decryption • Prevent peeking file on disk Cons: • Possibly repeated encryption and decryption of same data if the database doesn’t fit in shared buffers postgres postgres Page Cache (Kernel) raw data encrypted data
14.
14Copyright©2019 NTT Corp.
All Rights Reserved. Latency (90%tile): vanilla: 1.98 ms, TDE: 2.01 ms, pgcrypto: 2.28 ms Results 6000 6500 7000 7500 8000 8500 20 40 60 80 100 120 140 160 180 200 220 240 260 280 300 TPS Duraiton(sec) TPS comparison (R:100,W:3) vanilla tde pgcrypto 8000 8500 9000 9500 10000 10500 11000 10 30 50 70 90 110 130 150 170 190 210 230 250 270 TPS Duration (sec) TPS comparison (R:100) vanilla tde pgcrypto Latency (90%tile): vanilla: 2.32 ms, TDE: 2.45 ms, pgcrypto: 2.66 ms DB size < shared buffers DB size > shared buffers
15.
15Copyright©2019 NTT Corp.
All Rights Reserved. • Advanced Encryption Standard(AES) • Symmetric key algorithm • AES-256 • Block cipher • 16 bytes block size • Using openssl is preferable (--with-openssl) • AES-NI • Block cipher mode of operation • CBC or XTS How To Encrypt
16.
16Copyright©2019 NTT Corp.
All Rights Reserved. • For faster key rotation • Master key • Stored outside the database • Encrypt/Decrypt tablespace keys • One key per database cluster • Tablespace Key (= data key) • Stored inside the database • Encrypt/Decrypt database objects • One key per tablespace 2-Tier Key Hierarchy Master Key Encrypt/Decrypt Encrypt/ Decrypt External Location Database Server ENCRYPTED DATA Tablespace key
17.
17Copyright©2019 NTT Corp.
All Rights Reserved. • For faster key rotation • Master key • Stored outside the database • Encrypt/Decrypt tablespace keys • One key per database cluster • Tablespace Key (= data key) • Stored inside the database • Encrypt/Decrypt database objects • One key per tablespace 2-Tier Key Hierarchy Master Key Encrypt/Decrypt Encrypt/ Decrypt External Location Database Server ENCRYPTED DATA Tablespace key New Master Key
18.
18Copyright©2019 NTT Corp.
All Rights Reserved. • Key management is very important • How can we robustly manage the master key? • Better leave it to a specialist • Usually support some kinds of protocols • KMIP, HTTPS etc Key Management
19.
19Copyright©2019 NTT Corp.
All Rights Reserved. • Key manager manages a key management plugin as well as tablespace keys • Add generic interface between PostgreSQL and key management systems (Key management API) Integration with Key Management Systems Key management API get_key(), generate_key(), remove key() Encrypted file A KMS B KMS Bufmgr, smgr, encryption etc File A KMS A KMS KMIP HTTPSread/write Key manager (keyring) Encrypted Tablespace keys Shared Memory master key Local Memory Tablespace keys shared buffer
20.
20Copyright©2019 NTT Corp.
All Rights Reserved. • PostgreSQL gets the master key from KMS at startup • Cache the master key on the shared memory • Risk of key leakage when memory dump • MADV_DONTDUMP of madvise(2) helps • Risk of key leakage when swapped out • mlock(2) helps • Backend processes get the encrypted tablespace key at startup and decrypt all of them with the master key Caching Keys
21.
21Copyright©2019 NTT Corp.
All Rights Reserved. • WAL Block Encryption • Encrypt WAL block every commit time • WAL writer could encrypt • WAL Record encryption • Encrypt WAL when inserting to WAL buffer • Doesn’t encrypt WAL data that is not pertaining to encrypted tables WAL Encryption A block on WAL Buffer WAL file writeencrypt & write WAL file memcpy encrypt & memcpy 1. Encrypt WAL blocks 2. Encrypt WAL records
22.
22Copyright©2019 NTT Corp.
All Rights Reserved. • It’s more secure if we use the same encryption key for WAL encryption as that used for table • Choice #2 would be better approach WAL Encryption A block on WAL Buffer WAL file writeencrypt & write WAL file memcpy encrypt & memcpy 1. Encrypt WAL blocks 2. Encrypt WAL records
23.
23Copyright©2019 NTT Corp.
All Rights Reserved. Performance Overhead of WAL Encryption • Compare performance on insert-heavy workload • Encrypt all WAL blocks/records • pg_wal directory on tmpfs to avoid disk I/O bottleneck • Each transaction inserts a few records and commit • Max 7% degradation 1.00 1.06 1.07 1.05 1.04 0.00 0.20 0.40 0.60 0.80 1.00 1.20 No Encrytpion WAL Block WAL Record WAL Record (1/2) WAL Record (1/5) INSERT 10M rows (tempfs)
24.
24Copyright©2019 NTT Corp.
All Rights Reserved. • pg_wal on HDD • No big performance overhead Performance Overhead of WAL Encryption 1.00 1.01 1.00 0.00 0.20 0.40 0.60 0.80 1.00 1.20 No Encrytpion WAL Block WAL Record INSERT 50k rows (HDD)
25.
25Copyright©2019 NTT Corp.
All Rights Reserved. WAL Record Format XLogRecord XLogRecordBlockHeader (RelfileNode, BlockNumber) XLogREcordBlockImageHeader XLogRecordDataHeaderShort Full page image (w/o hole) for new buffer xl_heap_header new tuple xl_heap_update xl_heap_header old tuple An example of xl_heap_update (wal_level = logical) Header data No user data is stored Block data FPI and tuples are stored Main data Could also contain tuples
26.
26Copyright©2019 NTT Corp.
All Rights Reserved. WAL Record Encryption XLogRecord XLogRecordBlockHeader (RelfileNode, BlockNumber) XLogRecordBlockImageHeader XLogRecordDataHeaderShort Full page image (w/o hole) for new buffer xl_heap_header new tuple xl_heap_update xl_heap_header old tuple Choice #1: Encrypt whole WAL record • Need another header containing ciphertext length and tablespace oid (key of encryption key) • Need decryption before validation • Frontend programs(pg_waldump, pg_rewind etc) need to obtain tablespace keys and master key Choice #2: Encrypt only block data + main data • XLogRecordHeader has a flag saying “hey this record is encrypted” • Frontend programs need to obtain tablespace keys and master key Choice #3: Move xl_xxx_xxx to just below header data and #2 • Frontend tools don’t want to see user data don’t need to decrypt WAL record • Possible?
27.
27Copyright©2019 NTT Corp.
All Rights Reserved. WAL Record Encryption XLogRecord (ENCRYPTED!) XLogRecordBlockHeader (RelfileNode, BlockNumber) XLogRecordBlockImageHeader XLogRecordDataHeaderShort Full page image (w/o hole) for new buffer xl_heap_header new tuple xl_heap_update xl_heap_header old tuple Choice #1: Encrypt whole WAL record • Need another header containing ciphertext length and tablespace oid (key of encryption key) • Need decryption before validation • Frontend programs(pg_waldump, pg_rewind etc) need to obtain tablespace keys and master key Choice #2: Encrypt only block data + main data • XLogRecordHeader has a flag saying “hey this record is encrypted” • Frontend programs need to obtain tablespace keys and master key Choice #3: Move xl_xxx_xxx to just below header data and #2 • Frontend tools don’t want to see user data don’t need to decrypt WAL record • Possible?
28.
28Copyright©2019 NTT Corp.
All Rights Reserved. WAL Record Encryption XLogRecord (ENCRYPTED!) XLogRecordBlockHeader (RelfileNode, BlockNumber) XLogRecordBlockImageHeader XLogRecordDataHeaderShort xl_heap_update Full page image (w/o hole) for new buffer xl_heap_header new tuple xl_heap_header old tuple Choice #1: Encrypt whole WAL record • Need another header containing ciphertext length and tablespace oid (key of encryption key) • Need decryption before validation • Frontend programs(pg_waldump, pg_rewind etc) need to obtain tablespace keys and master key Choice #2: Encrypt only block data + main data • XLogRecordHeader has a flag saying “hey this record is encrypted” • Frontend programs need to obtain tablespace keys and master key Choice #3: Move xl_xxx_xxx to just below header data and #2 • Frontend tools don’t want to see user data don’t need to decrypt WAL record • Possible?
29.
29Copyright©2019 NTT Corp.
All Rights Reserved. • Temporary files are written bypassing the shared buffers • base/pgsql_tmp/ • pg_replslots/ • pg_stat_statements Temporary File Encryption postgres Shared Buffer Disk temp files
30.
30Copyright©2019 NTT Corp.
All Rights Reserved. • Temporary files encryption could use “a disposable key” • Generated randomly by each backend process before use • lives only during process lifetime • No other process need to read temporary files • Interface problem • Non-uniformed file access interfaces Disposable Key
31.
31Copyright©2019 NTT Corp.
All Rights Reserved. CREATE DATABASE ... TABLESPACE enc_tblsp; • System catalogs could have user sensitive data • pg_statistics, pg_statistics_ext, pg_proc, pg_class etc • System catalogs of an encrypted database are encrypted • Encrypt all system catalogs in database that is created on a encrypted tablespace System Catalogs Encryption
32.
32Copyright©2019 NTT Corp.
All Rights Reserved. • Per tablespace, buffer-level transparent data at rest encryption • Less performance overhead • Encrypt WAL, system catalogs and temporary files as well • 2-tier key architecture • Fast key rotation • Integration with KMSs • Provide more flexible and robust key management Conclusion Remarks
33.
33Copyright©2019 NTT Corp.
All Rights Reserved. Two proposals • Cluster-wide data at rest encryption is under development • "WIP: Data at rest encryption" patch and, PostgreSQL 11-beta3 • Proposed by Antonin Houska • Per-Tablespace data at rest encryption • Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) • Proposed by Moon Insung, Masahiko Sawada Current Status
34.
34Copyright©2019 NTT Corp.
All Rights Reserved. • Further discussion on pgsql-hackers • Submit a draft version patch set for PostgreSQL 13 Future Plans
35.
35Copyright©2019 NTT Corp.
All Rights Reserved. • Block cipher mode of operation • https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation • Disk encryption theory • https://en.wikipedia.org/wiki/Disk_encryption_theory#XEX- based_tweaked-codebook_mode_with_ciphertext_stealing_(XTS) Some References
36.
36Copyright©2019 NTT Corp.
All Rights Reserved. Thank you
37.
37Copyright©2019 NTT Corp.
All Rights Reserved. • CTR mode turns a block cipher into a streaming cipher • Stream cipher: byte-to-byte encryption • Unlike block mode cipher, random read is available • Used for stream data such as network packets CTR (Counter) Mode https://en.wikipedia.org/wiki/Disk_encryption_theory
38.
38Copyright©2019 NTT Corp.
All Rights Reserved. • The characteristics of WAL is quite similar to stream data • Append only • Data once written is never updated • Stream cipher doesn’t need padding even for 15 byte or less data Why Can CTR Mode be Used for WAL Encryption?
Download now