The Transparent data encryption in PostgreSQL

I have been working with the PostgreSQL community recently to develop TDE (Transparent Data Encryption). During this time, I studied some cryptography-related knowledge and used it to combine with the database. I will introduce the TDE in PostgreSQL by the following three dimensions.

  1. The current threat model of the database
  2. Encryption policy description and current design status of the current PostgreSQL community
  3. Future data security

What is TDE?

Transparent Data Encryption (often abbreviated to TDE) is a technology employed by Microsoft, IBM and Oracle to encrypt database files. TDE offers encryption at file level. TDE solves the problem of protecting data at rest, encrypting databases both on the hard drive and consequently on backup media.

–Transparent_Data_Encryption

When it comes to cryptography-related topics, we must first understand what security threats are facing.

Security Threat Modes

  1. Inappropriate permissions
    Many applications or software are often used to give unnecessary privileges to users because of the convenience of use. Secondly, if users are not cleaned up in time (for example, resigned employees), information leakage will also occur.
    Most applications don’t impose too many restrictions on DBAs and developers, which also carries the risk of data loss.
    Authority-giving strategies, separation of powers, or database auditing are all important ways to prevent such threats.
  2. SQL injection attack
    SQL injection attacks have always been one of the major risks facing databases. With the development of B/S mode application development, more and more programmers use this mode to write applications. However, due to the level of programmers and experience, a considerable number of programmers do not judge the legitimacy of user input data when writing code, which makes the application security risk. The user can submit a database query code and obtain some data he wants to know based on the results returned by the program.
    Reasonable software architecture design and legal SQL auditing are effective ways to prevent such threats.
  3. Attack on purpose
    An attacker can affect the database through network eavesdropping, Trojan attack, etc., resulting in data loss risks. Many vendors often fail to enable network transmission encryption due to performance or resources, which causes data eavesdropping risks.
    Secondly, a malicious attacker can infect a legitimate user device through measures such as a Trojan virus, thereby stealing data and causing data loss.
    Improve security measures, such as turning on the firewall, enabling network transmission encryption, etc. Secondly, strengthening database auditing can be used to combat such threats.
  4. Weak audit trail
    Due to resource consumption and performance degradation, many vendors turn off or turn on less-functional audit trails, which can lead to malicious administrators hacking data.
    Secondly, because the restricted operation after auditing is more difficult to implement, for example, it is difficult to distinguish between operation of DBAs and trespassing, which makes it difficult to defend against attacks after auditing.
    Network equipment auditing is currently the most effective auditing program.
  5. Unsafe storage medium
    The storage medium stores the risk of stealing, and secondly, the backup storage security setting is lower, which causes data loss.
    Enhance the protection of physical media, encrypt user data, and enforce security settings for all data stores to protect against such threats.
  6. Unsafe third party
    With the advent of the cloud era and 5G, more vendors are storing data in the cloud. This actually has third-party trust issues. If a third party has a malicious administrator, illegally stealing or reading sensitive data, or providing a server with a security risk, this will result in data loss.
    By selecting a trusted third party and encrypting user data, you can avoid unsafe third-party threats.
  7. Database vulnerability or incorrect configuration
    With the increase of the functions of modern database software, complex programs are likely to have security vulnerabilities, and many manufacturers are reluctant to upgrade the version in order to ensure the stability of the system. The same data faces a large risk of leakage.
    Second, there are also high risks associated with inadequate security settings. The security configuration here does not only refer to the database level but also needs to strengthen the security configuration at the operating system level.
    Regularly fix database vulnerabilities and enhance security configuration.
  8. Limited security expertise and education
    According to statistics, about 30% of data breaches are caused by human error, so safety education needs to be strengthened.
    Regular safety knowledge lectures to raise awareness of safety precautions.

In summary, the current data encryption can deal with threats with insecure storage media, insecure third parties.
And we know that the database not only needs security considerations, but also needs to balance performance, stability, and ease of use.
So how do you design data encryption?