PostgreSQL Security

 

 

My first “in-person” class of my graduate program was a discussion on security of PostgreSQL given by Bruce Momjian.  Not surprisingly, PostgreSQL offers a full range of SSL support and a slew of encryption options.  As impressive as the options are, the challenge seems to me, in deciding what trade-offs make sense for a particular employment.

For example, if one chooses column level encryption, than that data is not only encrypted to malicious entities, but to friendly daemons like the statistics collector.  There are definitely some interesting systems engineering decisions that need to made when deciding what data is critical enough to be encrypted.

On the TLS side, I couldn’t help but to think of Adam Langely’s (Google Chrome TLS guy) talk from HOPE#9, which I unfortunately did not attend but fortunately, the audio is now posted!  Essentially, if the state of web SSL is as bad as he says it is, I wonder how many databases actually have SSL incorporated correctly?  Of course, security is a multi-pronged beast and SSL isn’t going to help you when somebody steals the hard-drive with your database on it.

Having taken classes only online, I took advantage of this antiquated medium (going to class in person is so 2011) and asked a lot of questions, probably much to the chagrin of my fellow students.  But, it was a nice change of pace and I can see why so many physical study groups have sprung up from the Coursera courses.

 

2 thoughts on “PostgreSQL Security

  1. I wouldn’t worry about the security of databases, you can just assume it’s terrible everywhere. That is the sad fact. If you are lucky they might actually hash your passwords.

    • I was a little surprised to see that PostgreSQL uses md5 for its password hashing. They constantly use random salt, so it looks like the data is ephemeral enough that they minimize the chance for a collision. And I’m sure there would be a big upgrade pain to move off of md5…

Comments are closed.