PostgreSQL instance encryption: More database security

Nov 5, 20161 like1,298 views

By default PostgreSQL will store data on disk in its standard format. However, in many cases business or legal requirements require data to on disk be encrypted. On disk-encryption was paid for by German industry and is a classical case showing how business and Open Source can coexist. This talk shows, that it can be actually cheaper to implement a feature into an Open Source product than to license a commercial product such as Oracle, DB2, Informix, or MS SQL Server. Open Source can make a valuable contribution to save costs for everybody.

Full PostgreSQL instance encryption
Hans-Jürgen Schönig
www.postgresql-support.de
Hans-Jürgen Schönig
www.postgresql-support.de

First of all
Hans-Jürgen Schönig
www.postgresql-support.de

Did . . .
Did everybody have a good time in Tallinn?
Hans-Jürgen Schönig
www.postgresql-support.de

Introduction
Hans-Jürgen Schönig
www.postgresql-support.de

Cybertec Schönig & Schönig GmbH
24x7 support for PostgreSQL
PostgreSQL training
PostgreSQL consulting
Hans-Jürgen Schönig
www.postgresql-support.de

Get more out of PostgreSQL
Hans-Jürgen Schönig
www.postgresql-support.de

PostgreSQL features
PostgreSQL provides many features
Many “Enterprise” features are available
e.g. replication, analytics, etc.
Hans-Jürgen Schönig
www.postgresql-support.de

Missing stuﬀ
Nothing is feature complete
Once in a while everybody ﬁnds missing parts
Hans-Jürgen Schönig
www.postgresql-support.de

Sponsoring vs. licensing
Remember, PostgreSQL is Open Source
Sponsoring a feature is often cheaper than buying commercial
licenses
No need to chain yourself to a commercial vendor
Hans-Jürgen Schönig
www.postgresql-support.de

Database encryption: An example
Hans-Jürgen Schönig
www.postgresql-support.de

Speciﬁc customer requirements
Customer could only provide encryption based on expensive
commercial software
Encryption is needed to fulﬁll legal and internal requirements
Hans-Jürgen Schönig
www.postgresql-support.de

Making it work
Implement highly optimized code to handle encryption on the
block level in PostgreSQL
Totally transparent to the end user
Keys can be stored in a key store of your choice
Hans-Jürgen Schönig
www.postgresql-support.de

What it does
We encrypt:
Tables
Indexes
Temporary ﬁles
Full WAL encryption
Commit Log (clog)
More stuﬀ: Subtransaction directories, MultiXact . . .
What we do not encrypt (yet):
pg_stat_statements, logical replication buﬀers, control data (on
purpose)
Hans-Jürgen Schönig
www.postgresql-support.de

Encryption technology
Extensible mechanism
Included in pgcrypto: AES-XTS 128
Future versions will use Intel hardware support
Current prototype does 4 GB / sec per core !
Hans-Jürgen Schönig
www.postgresql-support.de

Good news
We all got encryption now
Not yet in core but available to end users already with full
professional support
Patch on hackers
Anybody willing to feedback?
Hans-Jürgen Schönig
www.postgresql-support.de

Commercial success
Writing code + integrating was cheaper than just integrating
commercial stuﬀ
Makes sense for everybody
Customer
Community
Hans-Jürgen Schönig
www.postgresql-support.de

What we learn from this
Have the guts and the conviction to do what is right
Think for yourself
Find solutions to YOUR problems
Do not change your requirements just because some commercial
vendor forces you to do so
Beneﬁt from Open Source
Invest wisely
Hans-Jürgen Schönig
www.postgresql-support.de

Where can we get the code?
Our website has the code:
http://www.cybertec.at/en/products/postgresql-instance-
level-encryption/
It is under PostgreSQL license
Hans-Jürgen Schönig
www.postgresql-support.de

Finally
Hans-Jürgen Schönig
www.postgresql-support.de

Any questions?
Feel free to ask
Hans-Jürgen Schönig
www.postgresql-support.de

Contact us
Cybertec Schönig & Schönig GmbH
Email: office@cybertec.at
Web: www.postgresql-support.de
Follow us on Twitter: @PostgresSupport
Hans-Jürgen Schönig
www.postgresql-support.de

PgCenter is a tool for monitoring and troubleshooting PostgreSQL. It provides a graphical interface to view key performance metrics and statuses. Some of its main features include displaying server health, load, memory and disk usage, statement performance, replication status and more. It aims to help PostgreSQL administrators quickly check the health of their databases and identify potential problems.

PostgresJeff Dickey

The document provides tips for diagnosing and improving performance of PostgreSQL databases. It recommends using EXPLAIN ANALYZE to identify slow queries and see if adding an index could help. Indexes can significantly improve performance but should be used judiciously as they require maintenance on writes. The document also provides examples of PostgreSQL commands and extensions that help analyze database performance issues like unused indexes, sequential scans, and index hit rates.

Как PostgreSQL работает с дискомPostgreSQL-Consulting

How does PostgreSQL work with disks: a DBA's checklist in detail. PGConf.US 2015PostgreSQL-Consulting

This document discusses how PostgreSQL works with disks and provides recommendations for disk subsystem monitoring, hardware selection, and configuration tuning to optimize performance. It explains that PostgreSQL relies on disk I/O for reading pages, writing the write-ahead log (WAL), and checkpointing. It recommends monitoring disk utilization, IOPS, latency, and I/O wait. The document also provides tips for choosing hardware like SSDs or RAID configurations and configuring the operating system, file systems, and PostgreSQL to improve performance.

PostgreSQL Administration for System AdministratorsCommand Prompt., Inc

Spencer Christensen There are many aspects to managing an RDBMS. Some of these are handled by an experienced DBA, but there are a good many things that any sys admin should be able to take care of if they know what to look for. This presentation will cover basics of managing Postgres, including creating database clusters, overview of configuration, and logging. We will also look at tools to help monitor Postgres and keep an eye on what is going on. Some of the tools we will review are: * pgtop * pg_top * pgfouine * check_postgres.pl. Check_postgres.pl is a great tool that can plug into your Nagios or Cacti monitoring systems, giving you even better visibility into your databases.

Http Caching for the Android AficionadoPaul Blundell

Infinum Android Talks #18 - How to cache like a boss by Željko PlesacInfinum

Nine Circles of Inferno or Explaining the PostgreSQL VacuumAlexey Lesovsky

The document describes the nine circles of the PostgreSQL vacuum process. Circle I discusses the postmaster process, which initializes shared memory and launches the autovacuum launcher and worker processes. Circle II focuses on the autovacuum launcher, which manages worker processes and determines when to initiate vacuuming for different databases. Circle III returns to the postmaster process and how it launches autovacuum workers. Circle IV discusses what occurs within an autovacuum worker process after it is launched, including initializing, signaling the launcher, scanning relations, and updating databases. Circle V delves into processing a single database by an autovacuum worker.

To Ksql Or Live the KStreamDani Traphagen

KSQL can be used for real-time streaming ETL, data enrichment, transformation, and anomaly detection. Some examples uses are streaming orders from Kafka into KSQL for filtering German orders into a separate topic, joining streaming data with data in an RDBMS, and collecting anomalous transactions into a table using windowing. When considering KSQL, factors include if the team is Java-focused, how the system will be deployed, and available hardware resources. KSQL is best for SQL-like queries on streams, while Kafka Streams is more low-level and customizable.

Chef patternsBiju Nair

This document summarizes patterns for building clusters using Chef and providing services on demand. It discusses using node attributes to store service requests, templates to generate configuration, and recipes to start services. Separate roles are used to define services and handle restarts. Pluggable alerts allow defining metrics and alerts. Logic injection techniques allow customizing community cookbooks by intercepting notifications and including custom recipes.

PostgreSQL Streaming Replication CheatsheetAlexey Lesovsky

The document provides configuration instructions and guidelines for setting up streaming replication between a PostgreSQL master and standby server, including setting parameter values for wal_level, max_wal_senders, wal_keep_segments, creating a dedicated replication role, using pg_basebackup to initialize the standby, and various recovery target options to control the standby's behavior. It also discusses synchronous replication using replication slots and monitoring the replication process on both the master and standby servers.

Clug 2012 March web server optimisationgrooverdan

Out of the box replication in postgres 9.4(pg confus)Denish Patel

This document contains notes from a presentation on PostgreSQL replication. It discusses write-ahead logs (WAL), replication history in PostgreSQL from versions 7.0 to 9.4, how to set up basic replication, tools for backups and monitoring replication, and demonstrates setting up replication without third party tools using pg_basebackup, replication slots, and pg_receivexlog. It also includes contact information for the presenter and an invitation to join the PostgreSQL Slack channel.

MySQL Replicationorczhou

Tuning Linux for Databases.Alexey Lesovsky

This presentation discusses optimizing Linux systems for PostgreSQL databases. Linux is a good choice for databases due to its active development, features, stability, and community support. The presentation covers optimizing various system resources like CPU scheduling, memory, storage I/O, and power management to improve database performance. Specific topics include disabling transparent huge pages, tuning block I/O schedulers, and selecting appropriate scaling governors. The overall message is that Linux can be adapted for database workloads through testing and iterative changes.

Java In-Process Caching - Performance, Progress and Pittfallscruftex

This document discusses Java in-process caching and summarizes benchmarks of various caching libraries. It finds that Caffeine and cache2k have faster read throughput than Google Guava Cache and EHCache3 when the number of threads increases. Cache2k is the fastest overall. Benchmarking eviction quality shows Caffeine and cache2k have more efficient eviction algorithms than LRU. While Clock is O(n) in theory, cache2k optimizes it to have little increase in scan counts even for large caches. Modern caching libraries use improved algorithms over LRU to achieve better performance.

Webinar: Tales from the Field - 48 Hours to Data Centre RecoveryMongoDB

In this webinar Ger Hartnett, Director of Engineering, Technical Services, talked about what happened when a data centre outage caused chaos and uncovered some significant flaws in a disaster recovery plan. It was late on a Friday evening, 17TB of data was at risk, and there was uncertainty about the reliability of the backups. The Technical Services team had until Monday morning to get everything back to normal.

100500 способов кэширования в Oracle Database или как достичь максимальной ск...Ontico

HighLoad++ 2017 Зал «Рио-де-Жанейро», 8 ноября, 14:00 Тезисы: http://www.highload.ru/2017/abstracts/2913.html Изначально будут раскрыты базовые причины, которые заставили появиться такой части механизма СУБД, как кэш результатов, и почему в ряде СУБД он есть или отсутствует. Будут рассмотрены различные варианты кэширования результатов как sql-запросов, так и результатов хранимой в БД бизнес-логики. Произведено сравнение способов кэширования (программируемые вручную кэши, стандартный функционал) и даны рекомендации, когда и в каких случаях данные способы оптимальны, а порой опасны. ...

Odoo Performance LimitsOdoo

1. The document describes load testing done on an Odoo implementation to determine system limits and size requirements. Tests were run using Locust and varied the number of requests per second, users, and sessions to identify bottlenecks. 2. Testing showed the initial limit was around 500 requests/second. Further tests found that sessions stored in NFS caused issues, so they were changed to store in PostgreSQL. 3. Load balanced and monolithic architectures were compared, finding the load balanced setup using 4 servers performed similarly to a single server with 40 cores for the monolithic setup.

Caching. api. http 1.1Artjoker Digital

Caching can simplify code, reduce traffic, and allow content to be viewed offline. There are different approaches to implementing caching, such as creating separate tables for each entity or using a single table with URL and response fields. Common HTTP cache-control headers help manage caching by specifying rules for validating cached responses and restricting caching. Both Android and iOS provide APIs for enabling caching with URL connections and requests.

Example R usage for oracle DBA UKOUG 2013BertrandDrouvot

The document discusses using R to analyze and visualize Oracle database metrics and statistics in real time. It provides examples of R code to connect to an Oracle database and retrieve system statistics and wait event data. The code then computes changes from the previous snapshot and graphs metrics over time, including system statistics by interval, wait times and events, and wait class distributions. It also describes splitting the screen into multiple graphs to show various views of the real-time data. The goal is to build interactive dashboards to monitor database performance using R.

Oracle: Binding versus cagingBertrandDrouvot

The document compares two methods for limiting CPU usage of databases on the same server: instance caging and processor_group_name binding. It provides facts about how each method works, observations on performance differences, and examples of customer cases where each method may be best. Instance caging allows limiting CPU count online but the SGA is interleaved, while binding groups databases to specific CPUs requiring a restart but keeps the SGA local. The best choice depends on factors like database count and whether guaranteed CPU resources are needed for some databases.

...LagSamantha Billington

This document discusses monitoring and troubleshooting replication lag in PostgreSQL. It begins with an overview of tools like Cacti, Nagios, and Zabbix for monitoring replication, and examines ways to measure replication lag using queries. Potential causes of replication lag are then explored, including configuration issues, hardware limitations, and human error. Specific configuration parameters that can affect lag are also outlined. The document concludes by discussing how hardware can impact lag and the importance of network time protocol (NTP) synchronization.

Ash masters : advanced ash analytics on Oracle Kyle Hailey

The document discusses database performance tuning. It recommends using Active Session History (ASH) and sampling sessions to identify the root causes of performance issues like buffer busy waits. ASH provides key details on sessions, SQL statements, wait events, and durations to understand top resource consumers. Counting rows in ASH approximates time spent and is important for analysis. Sampling sessions in real-time can provide the SQL, objects, and blocking sessions involved in issues like buffer busy waits.

Managing PostgreSQL with Ansible - FOSDEM PGDay 2016Gulcin Yildirim Jelinek

This document discusses managing PostgreSQL databases using Ansible. It begins with an introduction to Ansible and its key components like inventory, modules, tasks, variables, templates and playbooks. It then demonstrates how to install and use Ansible to provision Amazon EC2 instances, install PostgreSQL packages, setup streaming replication with a master and two standby servers, and add a new standby server. Various PostgreSQL and AWS-specific Ansible modules are also described.

PostgreSQL: Joining 1 million tablesHans-Jürgen Schönig

5min analyseHans-Jürgen Schönig

PostgreSQL: Welcome To Total SecurityRobert Bernier

More Related Content

What's hot (19)

Infinum Android Talks #18 - How to cache like a boss by Željko PlesacInfinum

Nine Circles of Inferno or Explaining the PostgreSQL VacuumAlexey Lesovsky

To Ksql Or Live the KStreamDani Traphagen

Chef patternsBiju Nair

PostgreSQL Streaming Replication CheatsheetAlexey Lesovsky

Clug 2012 March web server optimisationgrooverdan

Out of the box replication in postgres 9.4(pg confus)Denish Patel

MySQL Replicationorczhou

Tuning Linux for Databases.Alexey Lesovsky

Java In-Process Caching - Performance, Progress and Pittfallscruftex

Webinar: Tales from the Field - 48 Hours to Data Centre RecoveryMongoDB

100500 способов кэширования в Oracle Database или как достичь максимальной ск...Ontico

Odoo Performance LimitsOdoo

Caching. api. http 1.1Artjoker Digital

Example R usage for oracle DBA UKOUG 2013BertrandDrouvot

Oracle: Binding versus cagingBertrandDrouvot

...LagSamantha Billington

Ash masters : advanced ash analytics on Oracle Kyle Hailey

Managing PostgreSQL with Ansible - FOSDEM PGDay 2016Gulcin Yildirim Jelinek

Infinum Android Talks #18 - How to cache like a boss by Željko PlesacInfinum

Nine Circles of Inferno or Explaining the PostgreSQL VacuumAlexey Lesovsky

To Ksql Or Live the KStreamDani Traphagen

Chef patternsBiju Nair

PostgreSQL Streaming Replication CheatsheetAlexey Lesovsky

Clug 2012 March web server optimisationgrooverdan

Out of the box replication in postgres 9.4(pg confus)Denish Patel

MySQL Replicationorczhou

Tuning Linux for Databases.Alexey Lesovsky

Java In-Process Caching - Performance, Progress and Pittfallscruftex

Webinar: Tales from the Field - 48 Hours to Data Centre RecoveryMongoDB

100500 способов кэширования в Oracle Database или как достичь максимальной ск...Ontico

Odoo Performance LimitsOdoo

Caching. api. http 1.1Artjoker Digital

Example R usage for oracle DBA UKOUG 2013BertrandDrouvot

Oracle: Binding versus cagingBertrandDrouvot

...LagSamantha Billington

Ash masters : advanced ash analytics on Oracle Kyle Hailey

Managing PostgreSQL with Ansible - FOSDEM PGDay 2016Gulcin Yildirim Jelinek

Viewers also liked (11)

PostgreSQL: Joining 1 million tablesHans-Jürgen Schönig

5min analyseHans-Jürgen Schönig

PostgreSQL: Welcome To Total SecurityRobert Bernier

Walbouncer: Filtering PostgreSQL transaction logHans-Jürgen Schönig

Explain explainHans-Jürgen Schönig

PostgreSQL: Eigene Aggregate schreibenHans-Jürgen Schönig

PostgreSQL: The NoSQL wayHans-Jürgen Schönig

PostgreSQL: Advanced indexingHans-Jürgen Schönig

Secure PostgreSQL deploymentCommand Prompt., Inc

Magnus Hagander PostgreSQL supports several options for securing communications when deployed outside the typical webserver/database combination. This talk will go into some details about the features that make this possible, with some extra focus on the changes in 8.4. The main areas discussed are: * Securing the channel between client and server using SSL, including an overview of the threats and how to secure against them * Securing the login process, using LDAP, Kerberos or SSL certificates, including the use of smartcards to log into the database The talk will not focus on security and access control inside the database once the user is connected and authenticated.

Security Best Practices for your Postgres DeploymentPGConf APAC

PostgreSQL: Data analysis and analyticsHans-Jürgen Schönig

PostgreSQL: Joining 1 million tablesHans-Jürgen Schönig

5min analyseHans-Jürgen Schönig

PostgreSQL: Welcome To Total SecurityRobert Bernier

Walbouncer: Filtering PostgreSQL transaction logHans-Jürgen Schönig

Explain explainHans-Jürgen Schönig

PostgreSQL: Eigene Aggregate schreibenHans-Jürgen Schönig

PostgreSQL: The NoSQL wayHans-Jürgen Schönig

PostgreSQL: Advanced indexingHans-Jürgen Schönig

Secure PostgreSQL deploymentCommand Prompt., Inc

Security Best Practices for your Postgres DeploymentPGConf APAC

PostgreSQL: Data analysis and analyticsHans-Jürgen Schönig

Similar to PostgreSQL instance encryption: More database security (20)

PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsFaisal Akber

Are you looking to encrypt your data within PostgreSQL? We will review the various options available for encrypting data with PostgreSQL. We will also look at various options available to employ encryption and review various configuration and performance for using encryption. There are a number of options available when encrypting data with PostgreSQL. When determining the mechanisms to use, it is important to understand the data, the application and how it is being used. We will compare different methods of encrypting data in their feature-sets and performance. We will try to answer the following questions: Where do I enable the encryption? Where is my data safe and where is it exposed? Why should I use the various encryption modules available?

PGEncryption_TutorialVibhor Kumar

This document discusses data encryption in PostgreSQL databases. It describes different layers where encryption can occur, including at the application level, database level and storage level. It provides details on using the pgcrypto extension for encryption and decryption functions. It also covers network encryption methods like using SSL and SSH tunnels. Benchmark results show around a 20% performance overhead for TPC-B tests when encrypting and decrypting column data during transactions.

Enterprise-class security with PostgreSQL - 1Ashnikbiz

Transparent Data Encryption in PostgreSQLMasahiko Sawada

The document discusses transparent data encryption in PostgreSQL. It describes threats to unencrypted database servers like privilege abuse and SQL injections. It then covers using buffer-level encryption in PostgreSQL to encrypt data in shared memory and at rest on disk. This provides encryption with less performance overhead than per-query encryption. The document proposes encrypting WAL files, system catalogs, and temporary files in addition to table data for stronger security. It also discusses key management with a two-tier architecture involving master and tablespace keys.

Transparent Data Encryption in PostgreSQL and Integration with Key Management...Masahiko Sawada

The document discusses transparent data encryption in PostgreSQL databases. It proposes encrypting data at the tablespace and buffer levels for minimal performance impact. A two-tier key architecture with separate master and data encryption keys enables fast key rotation. Integrating with key management systems provides flexible and robust key management. The solution aims to securely encrypt database content with low overhead.

PostgresqlNexThoughts Technologies

Securing PostgreSQL from External AttackAll Things Open

Presented by: Bruce Momjian Presented at the All Things Open 2021 Raleigh, NC, USA Raleigh Convention Center Abstract: This talk explores the ways attackers with no authorized database access can steal Postgres passwords, see database queries and results, and even intercept database sessions and return false data. Postgres supports features to eliminate all of these threats, but administrators must understand the attack vulnerabilities to protect against them. This talk covers all known Postgres external attack methods.

PostgreSQL : IntroductionOpen Source School

9.6_Course Material-Postgresql_002.pdfsreedb2

This document outlines an advanced administration training course for PostgreSQL. The agenda covers topics such as installation, configuration, database management, security, backups and recovery, performance tuning, replication, and monitoring. It introduces PostgreSQL and its features, community support resources, architecture including processes, memory, and disk structures, and provides objectives for individual training modules.

Introduction to PostgreSQLJim Mlodgenski

Bn 1016 demo postgre sql-online-trainingconline training

PostgreSQL Security. How Do We Think?Ohyama Masanori

Creating a Multi-Layered Secured Postgres DatabaseEDB

Best Practices in Security with PostgreSQLEDB

We will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data. Using the popular AAA (Authentication, Authorization, Auditing) framework we will cover: Best practices for authentication (trust, certificate, MD5, Scram, etc). Advanced approaches, such as password profiles. Deep dive of authorization and data access control for roles, database objects (tables etc), view usage, row level security and data redaction. Auditing, encryption and SQL injection attack prevention.

PUGS Meetup Presentation - 11062015Wei Shan Ang

The document discusses the journey of a database administrator from Oracle to PostgreSQL. It provides an overview of the speaker's background and experience with Oracle and PostgreSQL. It then compares some key differences between Oracle and PostgreSQL in areas like licensing, architecture and how each handles transactions and compliance with ACID properties. The document also outlines some advantages of PostgreSQL like its extensibility and some disadvantages like lack of parallelism. Overall, the speaker acknowledges Oracle's more advanced features but prefers using the free and open source PostgreSQL, working around limitations.

PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Haganderpgdayrussia

Доклад был представлен на официальной российской конференции PG Day'14 Russia, посвященной вопросам разработки и эксплуатации PostgreSQL. PostgreSQL supports several options for securing communications when deployed outside of the typical webserver/database combination, or in a high security environments. This talk will go into some details about the features that make this possible. The main areas discussed are: Securing the PostgreSQL infrastructure and runtime environment. Securing the channel between client and server using SSL, including an overview of the threats and how to secure against them. Securing the login process with methods including LDAP, Kerberos or SSL certificates.

Best Practices in Security with PostgreSQLEDB

The webinar will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data. Using the popular AAA (Authentication, Authorization, Auditing) framework we will cover: - Best practices for authentication (trust, certificate, MD5, Scram, etc). - Advanced approaches, such as password profiles. - Deep dive of authorization and data access control for roles, database objects (tables, etc), view usage, row-level security, and data redaction. - Auditing, encryption, and SQL injection attack prevention. Note: this session is delivered in German Speaker: Borys Neselovskyi, Sales Engineer, EDB

An evening with PostgresqlJoshua Drake

Encryption oraclemanong007

The document discusses different methods for encrypting data at rest in an Oracle database. It covers the goals of encryption, as well as encryption options like DBMS_CRYPTO, column level encryption, and tablespace encryption. DBMS_CRYPTO allows procedural encryption and decryption of data, but has key management issues. Column level and tablespace encryption are better options and more transparent than DBMS_CRYPTO.

Achieving Pci CompliaceDenish Patel

The document discusses achieving PCI compliance when using PostgreSQL for databases. It provides an overview of PCI requirements, how they apply to databases, and how PostgreSQL features like encryption, access control, and logging can help fulfill the requirements. Specific examples are given for how to implement encryption of cardholder data, restrict access according to the principle of least privilege, and maintain regularly updated software in PostgreSQL.

PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsFaisal Akber

PGEncryption_TutorialVibhor Kumar

Enterprise-class security with PostgreSQL - 1Ashnikbiz

Transparent Data Encryption in PostgreSQLMasahiko Sawada

Transparent Data Encryption in PostgreSQL and Integration with Key Management...Masahiko Sawada

PostgresqlNexThoughts Technologies

Securing PostgreSQL from External AttackAll Things Open

PostgreSQL : IntroductionOpen Source School

9.6_Course Material-Postgresql_002.pdfsreedb2

Introduction to PostgreSQLJim Mlodgenski

Bn 1016 demo postgre sql-online-trainingconline training

PostgreSQL Security. How Do We Think?Ohyama Masanori

Creating a Multi-Layered Secured Postgres DatabaseEDB

Best Practices in Security with PostgreSQLEDB

PUGS Meetup Presentation - 11062015Wei Shan Ang

PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Haganderpgdayrussia

Best Practices in Security with PostgreSQLEDB

An evening with PostgresqlJoshua Drake

Encryption oraclemanong007

Achieving Pci CompliaceDenish Patel

Recently uploaded (20)

apidays New York 2025 - Lessons From Two Technical Transformations by Leah Hu...apidays

You Can't Outrun Complexity - But You Can Orchestrate It: Lessons From Two Technical Transformations Leah Hurwich Adler, Senior Staff Product Manager at Apollo GraphQL apidays New York 2025 API Management for Surfing the Next Innovation Waves: GenAI and Open Banking May 14 & 15, 2025 ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

apidays New York 2025 - Beyond Webhooks: The Future of Scalable API Event Del...apidays

Beyond Webhooks: The Future of Scalable API Event Delivery Phil Leggetter, Head of Developer Experience at Hookdeck apidays New York 2025 API Management for Surfing the Next Innovation Waves: GenAI and Open Banking May 14 & 15, 2025 ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

apidays New York 2025 - Why I Built Another Carbon Measurement Tool for LLMs ...apidays

Why I Built Another Carbon Measurement Tool for LLMs (And What I Learned Along the Way) Pascal Joly, Sustainability Consultant and Instructor at IT Climate Ed apidays New York 2025 API Management for Surfing the Next Innovation Waves: GenAI and Open Banking May 14 & 15, 2025 ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

AG-FIRMA FINCOME ARTICLE AI AGENT RAG.pdfAnass Nabil

apidays Singapore 2025 - What exactly are AI Agents by Aki Ranin (Earthshots ...apidays

What exactly are AI Agents? Aki Ranin, Head of AI at Earthshots Collective | Deep Tech & AI Investor | 2x Founder | Published Author apidays Singapore 2025 Where APIs Meet AI: Building Tomorrow's Intelligent Ecosystems April 15 & 16, 2025 ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

apidays New York 2025 - Boost API Development Velocity with Practical AI Tool...apidays

Boost API Development Velocity with Practical AI Tooling Sumit Amar, VP of Engineering at WEX apidays New York 2025 API Management for Surfing the Next Innovation Waves: GenAI and Open Banking May 14 & 15, 2025 ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Advanced_English_Pronunciation_in_Use.pdfleogoemmanguyenthao

THE FRIEDMAN TEST ( Biostatics B. Pharm)JishuHaldar

The Friedman Test is a valuable non-parametric alternative to the Repeated Measures ANOVA, allowing for the comparison of three or more related groups when data is ordinal or not normally distributed. By ranking data instead of using raw values, the test overcomes the limitations of parametric tests, making it ideal for small sample sizes and real-world applications in medicine, psychology, pharmaceutical sciences, and education. However, while it effectively detects differences among groups, it does not indicate which specific groups differ, requiring further post-hoc analysis.

apidays New York 2025 - Fast, Repeatable, Secure: Pick 3 with FINOS CCC by Le...apidays

Fast, Repeatable, Secure: Pick 3 with FINOS CCC Leigh Capili, Kubernetes Contributor at Control Plane apidays New York 2025 API Management for Surfing the Next Innovation Waves: GenAI and Open Banking May 14 & 15, 2025 ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

apidays New York 2025 - Building Green Software by Marissa Jasso & Katya Drey...apidays

Building Green Software: How Cloud-Native Platforms Can Power Sustainable App Development Katya Dreyer-Oren, Lead Software Engineer at Heroku (Salesforce) Marissa Jasso, Product Manager at Heroku (Salesforce) apidays New York 2025 API Management for Surfing the Next Innovation Waves: GenAI and Open Banking Convene 360 Madison, New York May 14 & 15, 2025 ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Ch01_Introduction_to_Information_SecuritKawukiDerrick

MICROSOFT POWERPOINT AND USES(BEST)..pdfbathyates

BODMAS-Rule-&-Unit-Digit-Concept-pdf.pdfSiddharthSean

apidays New York 2025 - Spring Modulith Design for Microservices by Renjith R...apidays

Spring Modulith Design for Microservices Renjith Ramachandran, Senior Solutions Architect at BJS Wholesale Club apidays New York 2025 API Management for Surfing the Next Innovation Waves: GenAI and Open Banking Convene 360 Madison, New York May 14 & 15, 2025 ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

What is FinOps as a Service and why is it Trending?Amnic

The way we build and scale companies today has changed forever because of cloud adoption. However, this flexibility introduces unpredictability, which often results in overspending, inefficiencies, and a lack of cost accountability. FinOps as a Service is a modern approach to cloud cost management that combines powerful tooling with expert advisory to bring financial visibility, governance, and optimization into the cloud operating model, without slowing down the engineering team. FinOps empowers the engineering team, finance, and leadership/management as they make data-informed decisions about cost, together. In this presentation, we will break down what FinOps is, why it matters more than ever, and a little about how a managed FinOps service can help organizations: - Optimize cloud spend - without slowing down dev - Create visibility into the cost per team, service, or feature - Set financial guardrails while allowing autonomy in engineering - Drive cultural alignment between finance, engineering, and product This will guide and help whether you are a cloud-native startup or a scaling enterprise, and convert cloud cost into a strategic advantage.

LONGSEM2024-25_CSE3015_ETH_AP2024256000125_Reference-Material-I.pptxvemuripraveena2622

apidays New York 2025 - The Future of Small Business Lending with Open Bankin...apidays

The Future of Small Business Lending with Open Banking – Bridging the $750 Billion Funding Gap Charles Groome, Vice President of Growth Strategy at Biz2Credit apidays New York 2025 API Management for Surfing the Next Innovation Waves: GenAI and Open Banking May 14 & 15, 2025 ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

[Eddie Lee] Capstone Project - AI PM Bootcamp - DataFox.pdfEddie Lee

MEDIA_LITERACY_INDEX_OF_EDUCATORS_ENG.pdfOlhaTatokhina1

apidays Singapore 2025 - Enhancing Developer Productivity with UX (Government...apidays

Enhancing Developer Productivity with UX Petrine Tang, UX Designer at Government Technology Agency Faith Ang, Product Manager at Government Technology Agency apidays Singapore 2025 Where APIs Meet AI: Building Tomorrow's Intelligent Ecosystems April 15 & 16, 2025 ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

apidays New York 2025 - Lessons From Two Technical Transformations by Leah Hu...apidays

apidays New York 2025 - Beyond Webhooks: The Future of Scalable API Event Del...apidays

apidays New York 2025 - Why I Built Another Carbon Measurement Tool for LLMs ...apidays

AG-FIRMA FINCOME ARTICLE AI AGENT RAG.pdfAnass Nabil

apidays Singapore 2025 - What exactly are AI Agents by Aki Ranin (Earthshots ...apidays

apidays New York 2025 - Boost API Development Velocity with Practical AI Tool...apidays

Advanced_English_Pronunciation_in_Use.pdfleogoemmanguyenthao

THE FRIEDMAN TEST ( Biostatics B. Pharm)JishuHaldar

apidays New York 2025 - Fast, Repeatable, Secure: Pick 3 with FINOS CCC by Le...apidays

apidays New York 2025 - Building Green Software by Marissa Jasso & Katya Drey...apidays

Ch01_Introduction_to_Information_SecuritKawukiDerrick

MICROSOFT POWERPOINT AND USES(BEST)..pdfbathyates

BODMAS-Rule-&-Unit-Digit-Concept-pdf.pdfSiddharthSean

apidays New York 2025 - Spring Modulith Design for Microservices by Renjith R...apidays

What is FinOps as a Service and why is it Trending?Amnic

LONGSEM2024-25_CSE3015_ETH_AP2024256000125_Reference-Material-I.pptxvemuripraveena2622

apidays New York 2025 - The Future of Small Business Lending with Open Bankin...apidays

[Eddie Lee] Capstone Project - AI PM Bootcamp - DataFox.pdfEddie Lee

MEDIA_LITERACY_INDEX_OF_EDUCATORS_ENG.pdfOlhaTatokhina1

apidays Singapore 2025 - Enhancing Developer Productivity with UX (Government...apidays

PostgreSQL instance encryption: More database security

1. Full PostgreSQL instance encryption Hans-Jürgen Schönig www.postgresql-support.de Hans-Jürgen Schönig www.postgresql-support.de

2. First of all Hans-Jürgen Schönig www.postgresql-support.de

3. Did . . . Did everybody have a good time in Tallinn? Hans-Jürgen Schönig www.postgresql-support.de

4. Introduction Hans-Jürgen Schönig www.postgresql-support.de

5. Cybertec Schönig & Schönig GmbH 24x7 support for PostgreSQL PostgreSQL training PostgreSQL consulting Hans-Jürgen Schönig www.postgresql-support.de

6. Get more out of PostgreSQL Hans-Jürgen Schönig www.postgresql-support.de

7. PostgreSQL features PostgreSQL provides many features Many “Enterprise” features are available e.g. replication, analytics, etc. Hans-Jürgen Schönig www.postgresql-support.de

8. Missing stuﬀ Nothing is feature complete Once in a while everybody ﬁnds missing parts Hans-Jürgen Schönig www.postgresql-support.de

9. Sponsoring vs. licensing Remember, PostgreSQL is Open Source Sponsoring a feature is often cheaper than buying commercial licenses No need to chain yourself to a commercial vendor Hans-Jürgen Schönig www.postgresql-support.de

10. Database encryption: An example Hans-Jürgen Schönig www.postgresql-support.de

11. Speciﬁc customer requirements Customer could only provide encryption based on expensive commercial software Encryption is needed to fulﬁll legal and internal requirements Hans-Jürgen Schönig www.postgresql-support.de

12. Making it work Implement highly optimized code to handle encryption on the block level in PostgreSQL Totally transparent to the end user Keys can be stored in a key store of your choice Hans-Jürgen Schönig www.postgresql-support.de

13. What it does We encrypt: Tables Indexes Temporary files Full WAL encryption Commit Log (clog) More stuff: Subtransaction directories, MultiXact . . . What we do not encrypt (yet): pg_stat_statements, logical replication buffers, control data (on purpose) Hans-Jürgen Schönig www.postgresql-support.de

14. Encryption technology Extensible mechanism Included in pgcrypto: AES-XTS 128 Future versions will use Intel hardware support Current prototype does 4 GB / sec per core ! Hans-Jürgen Schönig www.postgresql-support.de

15. Good news We all got encryption now Not yet in core but available to end users already with full professional support Patch on hackers Anybody willing to feedback? Hans-Jürgen Schönig www.postgresql-support.de

16. Commercial success Writing code + integrating was cheaper than just integrating commercial stuﬀ Makes sense for everybody Customer Community Hans-Jürgen Schönig www.postgresql-support.de

17. What we learn from this Have the guts and the conviction to do what is right Think for yourself Find solutions to YOUR problems Do not change your requirements just because some commercial vendor forces you to do so Beneﬁt from Open Source Invest wisely Hans-Jürgen Schönig www.postgresql-support.de

18. Where can we get the code? Our website has the code: http://www.cybertec.at/en/products/postgresql-instance- level-encryption/ It is under PostgreSQL license Hans-Jürgen Schönig www.postgresql-support.de

19. Finally Hans-Jürgen Schönig www.postgresql-support.de

20. Any questions? Feel free to ask Hans-Jürgen Schönig www.postgresql-support.de

21. Contact us Cybertec Schönig & Schönig GmbH Email: [email protected] Web: www.postgresql-support.de Follow us on Twitter: @PostgresSupport Hans-Jürgen Schönig www.postgresql-support.de

PostgreSQL instance encryption: More database security

Recommended

More Related Content

What's hot (19)

Viewers also liked (11)

Similar to PostgreSQL instance encryption: More database security (20)

Recently uploaded (20)

PostgreSQL instance encryption: More database security