PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options

36,504 views

Published on

Are you looking to encrypt your data within PostgreSQL? We will review the various options available for encrypting data with PostgreSQL. We will also look at various options available to employ encryption and review various configuration and performance for using encryption.

There are a number of options available when encrypting data with PostgreSQL. When determining the mechanisms to use, it is important to understand the data, the application and how it is being used. We will compare different methods of encrypting data in their feature-sets and performance.

We will try to answer the following questions: Where do I enable the encryption? Where is my data safe and where is it exposed? Why should I use the various encryption modules available?

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
36,504
On SlideShare
0
From Embeds
0
Number of Embeds
42
Actions
Shares
0
Downloads
79
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options

  1. 1. A Comparison of PostgreSQL Encryption Options Syed Faisal Akber, Staff Technical Support Engineer Dong Ye, Staff Engineer © 2013 VMware Inc. All rights reserved
  2. 2. Agenda      2 Why encryption? Some Postgres encryption options Performance results Real-world use cases Conclusions
  3. 3. Why Encrypt Data?  Protect sensitive information  Prevent identity theft  Satisfy paranoia  Comply with laws and standards (SOX, HIPPA, PCI, …) 3
  4. 4. Typical Architecture 4
  5. 5. Postgres Encryption Options  Where? • Encrypting Specific Columns • Encrypting Data Partitions • Encrypting Data Across Network  Who? • Database Server/Client Communication over SSL • Complete Application Encryption 5
  6. 6. Encrypting Specific Columns  Why? • Offload • Centralize  Use the pgcrypto module  Require application change 6
  7. 7. Encrypting Specific Columns: Diagram A B C 1 1200 F7956d6e 2 -45 249e401 Specific columns are protected 7
  8. 8. Encrypting Specific Columns: pgcrypto  Provide a number of functions • General hashing functions • Password hashing functions • PGP functions • RAW encryption/decryption functions 8
  9. 9. Using pgcrypto  Build Server and Extension, Use Extension ./configure --with-openssl make make install cd contrib/pgcrypto make make install pgbench=# CREATE EXTENSION pgcrypto;  Augment DML in application INSERT Example INSERT INTO z (a, b, c) VALUES (3, 34500, encrypt('Test'::bytea, 'key'::bytea, 'aes')); SELECT Example SELECT a, b, convert_from(decrypt(c, 'key'::bytea, 'aes'), current_setting('server_encoding'))::int AS c FROM z WHERE a = 1; 9
  10. 10. Encrypting Data Partition: Diagram 10
  11. 11. Encrypting Data Partition (Filesystem)  Prepare an encrypted filesystem with dm-crypt dd if=/dev/zero of=/data/crypt count=8 bs=1G chmod 600 /data/crypt losetup /dev/loop0 /data/crypt cryptsetup -y create secretfs /dev/loop0 cryptsetup status secretfs mke2fs -j -O dir_index /dev/mapper/secretfs tune2fs -l /dev/mapper/secretfs mkdir /mnt/secretfs mount /dev/mapper/secretfs /mnt/secretfs/  Run initdb on the encrypted filesystem  Start Postgres server 11
  12. 12. Encrypting Data Across Network Two main methods  Postgres built-in SSL  SSH tunnel 12
  13. 13. Encrypting Data Across Network 13
  14. 14. Encrypting Data Across Network: SSL     Facility exists in Postgres Configure server Configure SSL flag in client May need to open ports in firewall/router Cisco PAT configuration in Cisco IOS ip nat inside source static tcp 10.4.3.2 5432 interface Serial0 5432 14
  15. 15. Server Configuration Build Server ./configure --with-openssl make make install Create SSL Keys and Sign Certificate openssl req -new -text -out server.req openssl rsa -in privkey.pem -out server.key rm privkey.pem openssl req -x509 -in server.req -text -key server.key -out server.crt chmod 600 server.key 15
  16. 16. Server Configuration (cont.)  Update pg_hba.conf hostssl all all  Update postgresql.conf • Ensure listen_addresses is set correctly • Add ssl = on • Check SSL certificate files location ssl_cert_file = 'server.crt' ssl_key_file = 'server.key'  Restart Postgres server 16 0.0.0.0/0 md5
  17. 17. Client Configuration  Connect using sslmode option with one of four values: • disable • allow • prefer • require PHP Connection Example $link = pg_connect("host=10.4.3.2 port=5432 dbname=pgbench user=pgbench password=pgbench sslmode=require"); 17
  18. 18. Encrypting Data Across Network: SSH Tunnel  No modifications to Postgres configuration  Use of existing SSH gateway ssh -f -N -L 127.0.0.1:2000:10.4.3.2:5432 user@sshgw.corp.net PHP Connection Example $link = pg_connect("host=127.0.0.1 port=2000 dbname=pgbench user=pgbench password=pgbench"); 18
  19. 19. Complete Application Encryption  Application encrypts and writes data into database  Application reads and decrypts data from database  Requires no involvement of database and network • Listed here for completeness • No tests done 19
  20. 20. Complete Client Encryption 20
  21. 21. Test Bed      4x Intel Xeon E5-5640 (32 cores in total), EMC VNX5500 SAN Hypervisor: VMware ESXi 5.1 Express Patch 2 Virtual machine: 32 vCPUs, 12GB vRAM Guest operating system: SuSE Linux Enterprise Server 11 SP1 Postgres 9.3.0: • shared_buffers= 8GB, checkpoint_segments=100 • Separate partitions for PGDATA and XLOG  Benchmark: • pgbench -i -s 100; pgbench -c 32 -j 32 -M prepared -T 300 21
  22. 22. Encrypting Columns (pgcrypto) Tests  Test bed • pgbench connects over LAN • Workload: pgbench from postgresql.git versus pgbench modified • pgbench modified: encrypt/decrypt abalance column in pgbench_accounts UPDATE pgbench_accounts SET abalance = encrypt( decrypt(abalance) + :delta) WHERE tid = :tid; SELECT convert_from(decrypt(abalance, 'key'::bytea, 'aes'), current_setting('server_encoding')) FROM pgbench_accounts WHERE aid = :aid; UPDATE pgbench_accounts SET abalance = encrypt(0::text::bytea, 'key'::bytea, 'aes');  Results Baseline pgbench tps 22 pgcrypto 3483 3311
  23. 23. Encrypting Data Partition Tests  Test bed • pgbench connects over Unix domain sockets  Results Baseline pgbench tps 23 Encrypting DATA & XLOG 13814 5414
  24. 24. Encrypting Data over Network Tests  Test bed • pgbench connects over LAN and WAN (coast-to-coast)  Results pgbench tps SSL SSH tunnel LAN 3250 3132 1510 WAN 24 Baseline 42.11 42.01 34.68
  25. 25. Real-World Use Cases  E-commerce website  Patient information application 25
  26. 26. E-Commerce Website  Case • Web server is hosted on public cloud • Database server is hosted internally  Options to encrypt data on the wire • SSL • pgcrypto for specific columns (e.g., credit card) 26
  27. 27. Patient Information Application  Case • Internal application • Information remains in-house (within clinic or hospital)  Options to encrypt data on disk • Data partition • Specific columns 27
  28. 28. Conclusions  Why Encrypt Data?  Encryption Options • pg_crypto and Column based Encryption • SSL/SSH Tunnel • Filesystem Encryption  Performance results  Real-world Examples 28
  29. 29. Questions? 29
  30. 30. References              30 http://www.postgresql.org/docs/current/static/encryption-options.html http://www.postgresql.org/docs/current/static/pgbench.html http://www.postgresql.org/docs/current/static/ssl-tcp.html http://www.postgresql.org/docs/current/static/ssh-tunnels.html http://www.postgresql.org/docs/current/static/libpq-connect.html http://www.postgresql.org/docs/current/static/pgcrypto.html http://www.postgresql.org/docs/current/static/libpq-ssl.html http://www.revsys.com/writings/quicktips/ssh-tunnel.html http://cubist.cs.washington.edu/doc/ExamplePHPwPostgreSQL.shtml http://php.net/manual/en/ref.pgsql.php http://www.php.net/manual/en/function.pg-connect.php http://wiki.centos.org/HowTos/EncryptedFilesystem http://www.faqs.org/docs/Linux-HOWTO/Loopback-Encrypted-Filesystem-HOWTO.html

×