Does PostgreSQL support Transparent Data Encryption (TDE)? We are planning to use PostgreSQL for our remote clients, but are worried that the data files can be copied and a new instance of the database can be recreated on an unauthorized machine. TDE solves this problem. But we're not sure if PostgreSQL supports TDE -- does it?
+2
A:
I think you need to specify exactly what your needs are, instead of quoting a proprietary product name.
PostgreSQL supports several different ways of doing encryption, both of stored data and the transfer of the data. It is, to the best of my knowledge not syntax compatible with TDE.
There are also other ways to accomplish similar things. For example, you can just run PostgreSQL on top of an encrypted filesystem, and the problem should be solved.
Magnus Hagander
2009-10-05 09:27:23
Hello MagnusAppreciate the response. We are in the process of developing an offline client application. This application sync's data with the server whenever it gets an http connection. The question is related to the database,data security for the offline client. We do not want the data files to be stolen and then misused with a new unauthorized instance of the database being created. The offline client will work on windows XP,Vista. Your solution of running PostgreSQL on an encrypted file system is menstioned for linux. Not sure it will work on windowsThanksSameer
2009-10-06 10:27:26
+1
A:
The only thing that supports Oracle's Transparent Data Encryption is Oracle; it's not a standard of any sort. Even TDE doesn't really "solve this problem" against a determined client if all they want is a copy of the data in the files they're allowed to see. If the client has access to the database and you've unlocked the wallet for them, they can effectively get a copy of the data files out of there too. TDE is useful for keeping your backups encrypted so they can't be used, but any good encrypting backup tool should do that anyway. Not having the data files directly readable without unlocking them first also has some value, as Magnus already pointed out an encrypted filesystem would do something similar.
But when it comes to the database, if someone can read the data to use it, they can effectively make a copy of it. Because of this observation, PostgreSQL doesn't bother acting as if adding encryption of the data that comes in or out of the database is important. Use encryption at the filesystem and backup level, and use SSL to encrypt network communication; these are all effective security practices. But once the database is up and you've made it available to clients, you've lost control of their ability to make copies of the data itself.
Greg Smith
2009-10-06 05:38:33
A:
IT would seem the answer is NO and they want you to believe you don't need it.
Ted
2009-10-12 23:36:28