SlideShare a Scribd company logo

Transparent Data Encryption in PostgreSQL and Integration with Key Management Service

Masahiko Sawada
Masahiko Sawada

Talk at FOSDEM PGDAY 2019

Software
1 of 46
Download to read offline
Copyright©2019 NTT Corp. All Rights Reserved. ,
Copyright©2019 NTT Corp. All Rights Reserved. • Database and Threats • Data at rest Encryption • Transparent data encryption • Transparent data encryption in PostgreSQL • Key rotation • Key Management • Integration of PostgreSQL with key management system • Conclusion
Copyright©2019 NTT Corp. All Rights Reserved.
Copyright©2019 NTT Corp. All Rights Reserved. • Database servers are often the primary target of the following attacks • Privilege abuse • Database SQL injections attacks • Storage media theft • Eavesdropping attacks between client and server • etc. 44 Eavesdropping attacks 4 4
Copyright©2019 NTT Corp. All Rights Reserved. • Reason to protect database • Databases store valuable and sensitive data, some leakage also causes a high risk • Essential data protection standards and regulations for businesses • PCI DSS, GDPR, HIPPA etc. Various data protection standards and regulations require data encryption
Copyright©2019 NTT Corp. All Rights Reserved.
Copyright©2019 NTT Corp. All Rights Reserved. • Data at rest • Backup files and database cluster files stored in physical storage • Measures against threats to data at rest in PostgreSQL • Data encryption using pgcrypto or Full disk encryption However, using pgcrypto or full disk encryption does not meet some requirements Data is secure ! Data leak Threat of theft occurred Database storage Database storage User data stored encrypted User data stored non-encrypted
Copyright©2019 NTT Corp. All Rights Reserved. • Minimize performance degradation • Using pgcrypto degrades application program performance • Platform-independent • Minimize application program development cost • Secure encryption key management • Periodic key rotation
Copyright©2019 NTT Corp. All Rights Reserved. • Minimize performance degradation • Platform-independent • Using full disk encryption depends on platforms • Minimize application program development cost • Secure encryption key management • Periodic key rotation
Copyright©2019 NTT Corp. All Rights Reserved. • Minimize performance degradation • Platform-independent • Minimize application program development cost • Using pgcrypto requires many application program modifications • Secure encryption key management • Periodic key rotation
Copyright©2019 NTT Corp. All Rights Reserved. • Many modifications of the application program source code for areas(Tables) where encryption is required • Regression testing required after source code modification • Encryption supports increase time and labor costs =# INSERT INTO card_info ( user_name, card_number) VALUES ( ‘MOON INSUNG’, ‘1234-2345-3456-4567’ ); =# INSERT INTO card_info ( user_name, card_number) VALUES ( ‘MOON INSUNG’, encrypt (‘1234-2345-3456-4567’, 'KEY_VALUE', ‘aes-cbc’) ); SQL statement before encryption SQL statement after encryption using pgcrypto
Copyright©2019 NTT Corp. All Rights Reserved. • Minimize performance degradation • Platform-independent • Minimize application program development cost • Secure encryption key management • pgcrypto doesn't provide secure encryption key management facilities out-of-the-box • Periodic key rotation
Copyright©2019 NTT Corp. All Rights Reserved. • If encryption key is leaked, the encrypted data at rest cannot be protected from threats of malicious access • Storing encrypted data and its key in the same place makes the data encryption meaningless
Copyright©2019 NTT Corp. All Rights Reserved. • Key management in a separate secure place for the encryption keys Database storage Encrypted data Threat of theft occurred Separate location Secure Place Data is secure
Copyright©2019 NTT Corp. All Rights Reserved. • Minimize performance degradation • Platform-independent • Minimize application program development cost • Secure encryption key management • Periodic key rotation • Reduced performance due to re-encryption when rotating keys Database storage Encrypted data Decryption current key Database storage Non- encrypted data Database storage Encrypted dataEncryption New key Performance degradation due to re-encryption and data unavailability
Copyright©2019 NTT Corp. All Rights Reserved. • Requirements related to data encryption • Minimize performance degradation • Platform-independent • Minimize application program development cost • Secure encryption key management • Periodic key rotation • Difficult to satisfy these requirements related to data encryption using pgcrypto and full disk encryption in PostgreSQL In the following slides, we describe the result of our efforts to address these challenges
Copyright©2019 NTT Corp. All Rights Reserved.
Copyright©2019 NTT Corp. All Rights Reserved. 1. Per tablespace encryption 2. Transparent encryption at a layer between PostgreSQL’s shared buffer and OS 3. 2-tier key architecture 4. WAL encryption 5. System catalogs encryption 6. Temporary files encryption - - -
Copyright©2019 NTT Corp. All Rights Reserved. • Create encryption-enabled tablespaces • Tables and indexes on the tablespace are transparently encrypted • Less modification of DDLs . =# CREATE TABLESPACE enc_tblsp LOCATION ... WITH (eyncryption_algorithm = ‘aes128’); =# CREATE TABLE card (...) TABLESPACE enc_tblsp; =# SET default_tablespace TO enc_tblsp; =# CREATE TABLE card2 (..);
Copyright©2019 NTT Corp. All Rights Reserved. • Two possible solutions for now • Using pgcrypto with views and triggers • Full disk encryption (FDE) • Our solution is that encryption and decryption are performed when writing/reading to/from disk
Copyright©2019 NTT Corp. All Rights Reserved. / / / postgres Shared Buffer Disk postgres postgres Page Cache (Kernel) raw block data
Copyright©2019 NTT Corp. All Rights Reserved. / / / postgres Disk postgres postgres Page Cache (Kernel) raw block data Shared Buffer Backend processes read pages from the shared buffers and modify them.
Copyright©2019 NTT Corp. All Rights Reserved. / / / postgres Disk postgres postgres Page Cache (Kernel) raw block data Shared Buffer bgwriter periodically writes the dirty pages out to the kernel page cache.
Copyright©2019 NTT Corp. All Rights Reserved. / / / postgres Disk postgres postgres raw block data Shared Buffer Page Cache (Kernel) Dirty pages are flushed to the disk by the checkpointer or the kernel.
Copyright©2019 NTT Corp. All Rights Reserved. - postgres Shared Buffer Disk Pros: • Protect data even on shared buffer Cons: • Encryption and decryption are needed whenever accessing buffers on shared buffer • Different backends encrypt/decrypt the same buffer postgres postgres Page Cache (Kernel) raw data encrypted data
Copyright©2019 NTT Corp. All Rights Reserved. - . postgres Shared Buffer Disk Pros: • Less execution of encryption and decryption Cons: • Platform dependence • Cannot protect data from peeking by logged-in OS user postgres postgres Page Cache (Kernel) raw data encrypted data
Copyright©2019 NTT Corp. All Rights Reserved. 3 ) ) ) -( 2 .- .3 . 32 .- postgres Shared Buffer Disk Pros: • Relatively less execution of encryption and decryption • Prevent peeking file on disk Cons: • Possibly more encryption and decryption are performed when database size > shared buffer postgres postgres Page Cache (Kernel) raw data encrypted data
Copyright©2019 NTT Corp. All Rights Reserved. Transparence Performance impacts Protection against threats 1. Using pgcrypto OK (using views and triggers) High * Disk thefts * Memory dump * Peeking at data on disk 2. Full disk encryption OK Low * Disk thefts 3. Buffer level encryption OK Middle * Disk thefts * Peeking at data on disk
Copyright©2019 NTT Corp. All Rights Reserved. • Wrote proof-of-concept code of per tablespaces TDE • Tablespace encryption • Transparent encryption • 2-tier key architecutre • Key rotation • Features the PoC code doesn’t support (for now): • WAL encryption • System catalog encryption • Temporary files encryption
Copyright©2019 NTT Corp. All Rights Reserved. • PostgreSQL 11.1 • Vanilla PostgreSQL • PostgreSQL with TDE PoC code • PostgreSQL with pgcrypto • 32GB RAM, 500GB HDD • 6GB shared buffers • Data sets • 5GB (< shared_buffers) • 15GB (> shared_buffers) • Observations • TPS • Response times • Duration: 5min
Copyright©2019 NTT Corp. All Rights Reserved. Latency (90%tile): vanilla: 1.98 ms, TDE: 2.01 ms, pgcrypto: 2.28 ms 6000 6500 7000 7500 8000 8500 20 40 60 80 100 120 140 160 180 200 220 240 260 280 300 TPS Duraiton(sec) TPS comparison (R:100,W:3) vanilla tde pgcrypto 8000 8500 9000 9500 10000 10500 11000 10 30 50 70 90 110 130 150 170 190 210 230 250 270 TPS Duration (sec) TPS comparison (R:100) vanilla tde pgcrypto Latency (90%tile): vanilla: 2.32 ms, TDE: 2.45 ms, pgcrypto: 2.66 ms DB size < shared buffers DB size > shared buffers
Copyright©2019 NTT Corp. All Rights Reserved. • Master Key and Data Encryption Key • The master key is separated from encrypted data • Stored outside of the database • The data encryption keys are managed by database • Faster key rotation ENCRYPTED DATA Master Key Data Encryption Key Encrypt/Decrypt Encrypt/ Decrypt plain
Copyright©2019 NTT Corp. All Rights Reserved. • Master Key and Data Encryption Key • The master key is separated from encrypted data • Stored outside of the database • The data encryption keys are managed by database • Faster key rotation ENCRYPTED DATA Master Key Data Encryption Key Encrypt/Decrypt Encrypt/ Decrypt encry pted plain New Master Key Encrypt/Decrypt
Copyright©2019 NTT Corp. All Rights Reserved. • Key rotation always requires re-encrypting data • The 2-tier key architecture requires only key rotation of data encryption keys • 16, 24, 32 bytes key for AES-128, AES-192, AES-256 • One symmetric key per tablespaces
Copyright©2019 NTT Corp. All Rights Reserved. • WAL is also the sensitive data • WAL of encrypted relations is encrypted when inserting to the WAL buffer
Copyright©2019 NTT Corp. All Rights Reserved. • Two system catalogs could have user sensitive data • pg_statistics • pg_statistics_ext . =# SELECT tablename, attname, histogram_bounds FROM pg_stats WHERE tablename = 'card'; -[ RECORD 1 ]----+----------------------------------------------- tablename | card attname | card_number histogram_bounds | {1102-6674-6045-5459,1606-6441-9374-1335,2507- 2573-1560-9962,3323-3000-4260-1336,4319-9183-6377-7031,6035-9617- 5940-2060,6682-5210-8901-2679,7304-3837-8200-8185,8391-3583-3888- 1725,9091-3895-2466-7845,9970-5910-3522-1423}
Copyright©2019 NTT Corp. All Rights Reserved. • Temporary files are written bypassing the shared buffers • base/pgsql_tmp/ • pg_replslots/ . postgres Shared Buffer Disk temp files
Copyright©2019 NTT Corp. All Rights Reserved. • Per tablespace, buffer-level transparent encryption • 2-tier key architecture • Encrypt WAL, system catalogs and temporary files • SRLU buffer and fork relations are not encrypted • Pros • Less DDL modification • Less performance impact • Fast key rotation • Cons • Cannot set per users • Cannot prevent attack by malicious super user
Copyright©2019 NTT Corp. All Rights Reserved.
Copyright©2019 NTT Corp. All Rights Reserved. • Services or systems that are dedicated to robustly manage keys • Usually support some kinds of protocols • KMIP • PKCS#11 • SafeNet KeySecure, Amazon KMS, Oracle KeyVault etc ( )( ( (
Copyright©2019 NTT Corp. All Rights Reserved. • Robust key management • User don’t need to worry about key life cycles ENCRYPTED DATA Master Key Data Encryption Keys Get the master key and decrypt/decrypt Encrypt/Decrypt Key Management System PostgreSQL Register the master key Remove an old master key
Copyright©2019 NTT Corp. All Rights Reserved. • KMSs support different interfaces and protocols • KMIP, PKCS#11, etc. • Our solution • Pluggable architecture to communicate with various KMSs • Add generic key management APIs • get key, register key, remove key etc.
Copyright©2019 NTT Corp. All Rights Reserved. • Encryption key is also important • Integration with KMS frees user from key management • Adding generic key management APIs enable us to communicate with various key management systems
Copyright©2019 NTT Corp. All Rights Reserved. • Per tablespace, buffer-level transparent data at rest encryption • Less performance overhead • Encrypt WAL, system catalogs and temporary files as well • 2-tier key architecture • Fast key rotation • Integration with KMSs • More flexible and robust key management
Copyright©2019 NTT Corp. All Rights Reserved. 1. Basic components of transparent data encryption • Per tablespace encryption* • 2-tier key architecture* • Key rotation* • System catalog encryption • Temporary file encryption • Fetching the master key by arbitrary commands* 2. WAL encryption 3. Integration with KMSs • Pluggable • Registering key, removing key ... PoC codes has *-marked features
Copyright©2019 NTT Corp. All Rights Reserved. !

Recommended

Transparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLTransparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLMasahiko Sawada
 
Using Apache Arrow, Calcite, and Parquet to Build a Relational Cache
Using Apache Arrow, Calcite, and Parquet to Build a Relational CacheUsing Apache Arrow, Calcite, and Parquet to Build a Relational Cache
Using Apache Arrow, Calcite, and Parquet to Build a Relational CacheDremio Corporation
 
InfluxDB IOx Tech Talks: Query Processing in InfluxDB IOx
InfluxDB IOx Tech Talks: Query Processing in InfluxDB IOxInfluxDB IOx Tech Talks: Query Processing in InfluxDB IOx
InfluxDB IOx Tech Talks: Query Processing in InfluxDB IOxInfluxData
 
The delta architecture
The delta architectureThe delta architecture
The delta architecturePrakash Chockalingam
 
Enable GoldenGate Monitoring with OEM 12c/JAgent
Enable GoldenGate Monitoring with OEM 12c/JAgentEnable GoldenGate Monitoring with OEM 12c/JAgent
Enable GoldenGate Monitoring with OEM 12c/JAgentBobby Curtis
 
Introduction to the Mysteries of ClickHouse Replication, By Robert Hodges and...
Introduction to the Mysteries of ClickHouse Replication, By Robert Hodges and...Introduction to the Mysteries of ClickHouse Replication, By Robert Hodges and...
Introduction to the Mysteries of ClickHouse Replication, By Robert Hodges and...Altinity Ltd
 
How does PostgreSQL work with disks: a DBA's checklist in detail. PGConf.US 2015
How does PostgreSQL work with disks: a DBA's checklist in detail. PGConf.US 2015How does PostgreSQL work with disks: a DBA's checklist in detail. PGConf.US 2015
How does PostgreSQL work with disks: a DBA's checklist in detail. PGConf.US 2015PostgreSQL-Consulting
 
[211] HBase 기반 검색 데이터 저장소 (공개용)
[211] HBase 기반 검색 데이터 저장소 (공개용)[211] HBase 기반 검색 데이터 저장소 (공개용)
[211] HBase 기반 검색 데이터 저장소 (공개용)NAVER D2
 

Recommended

Transparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLTransparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLMasahiko Sawada
 
Using Apache Arrow, Calcite, and Parquet to Build a Relational Cache
Using Apache Arrow, Calcite, and Parquet to Build a Relational CacheUsing Apache Arrow, Calcite, and Parquet to Build a Relational Cache
Using Apache Arrow, Calcite, and Parquet to Build a Relational CacheDremio Corporation
 
InfluxDB IOx Tech Talks: Query Processing in InfluxDB IOx
InfluxDB IOx Tech Talks: Query Processing in InfluxDB IOxInfluxDB IOx Tech Talks: Query Processing in InfluxDB IOx
InfluxDB IOx Tech Talks: Query Processing in InfluxDB IOxInfluxData
 
The delta architecture
The delta architectureThe delta architecture
The delta architecturePrakash Chockalingam
 
Enable GoldenGate Monitoring with OEM 12c/JAgent
Enable GoldenGate Monitoring with OEM 12c/JAgentEnable GoldenGate Monitoring with OEM 12c/JAgent
Enable GoldenGate Monitoring with OEM 12c/JAgentBobby Curtis
 
Introduction to the Mysteries of ClickHouse Replication, By Robert Hodges and...
Introduction to the Mysteries of ClickHouse Replication, By Robert Hodges and...Introduction to the Mysteries of ClickHouse Replication, By Robert Hodges and...
Introduction to the Mysteries of ClickHouse Replication, By Robert Hodges and...Altinity Ltd
 
How does PostgreSQL work with disks: a DBA's checklist in detail. PGConf.US 2015
How does PostgreSQL work with disks: a DBA's checklist in detail. PGConf.US 2015How does PostgreSQL work with disks: a DBA's checklist in detail. PGConf.US 2015
How does PostgreSQL work with disks: a DBA's checklist in detail. PGConf.US 2015PostgreSQL-Consulting
 
[211] HBase 기반 검색 데이터 저장소 (공개용)
[211] HBase 기반 검색 데이터 저장소 (공개용)[211] HBase 기반 검색 데이터 저장소 (공개용)
[211] HBase 기반 검색 데이터 저장소 (공개용)NAVER D2
 
Optimizing Performance in Rust for Low-Latency Database Drivers
Optimizing Performance in Rust for Low-Latency Database DriversOptimizing Performance in Rust for Low-Latency Database Drivers
Optimizing Performance in Rust for Low-Latency Database DriversScyllaDB
 
DB Time, Average Active Sessions, and ASH Math - Oracle performance fundamentals
DB Time, Average Active Sessions, and ASH Math - Oracle performance fundamentalsDB Time, Average Active Sessions, and ASH Math - Oracle performance fundamentals
DB Time, Average Active Sessions, and ASH Math - Oracle performance fundamentalsJohn Beresniewicz
 
The Apache Spark File Format Ecosystem
The Apache Spark File Format EcosystemThe Apache Spark File Format Ecosystem
The Apache Spark File Format EcosystemDatabricks
 
Mastering PostgreSQL Administration
Mastering PostgreSQL AdministrationMastering PostgreSQL Administration
Mastering PostgreSQL AdministrationEDB
 
Linux performance tuning & stabilization tips (mysqlconf2010)
Linux performance tuning & stabilization tips (mysqlconf2010)Linux performance tuning & stabilization tips (mysqlconf2010)
Linux performance tuning & stabilization tips (mysqlconf2010)Yoshinori Matsunobu
 
PostgreSQL and RAM usage
PostgreSQL and RAM usagePostgreSQL and RAM usage
PostgreSQL and RAM usageAlexey Bashtanov
 
Redo log improvements MYSQL 8.0
Redo log improvements MYSQL 8.0Redo log improvements MYSQL 8.0
Redo log improvements MYSQL 8.0Mydbops
 
Deep Dive on ClickHouse Sharding and Replication-2202-09-22.pdf
Deep Dive on ClickHouse Sharding and Replication-2202-09-22.pdfDeep Dive on ClickHouse Sharding and Replication-2202-09-22.pdf
Deep Dive on ClickHouse Sharding and Replication-2202-09-22.pdfAltinity Ltd
 
PostgreSQL Administration for System Administrators
PostgreSQL Administration for System AdministratorsPostgreSQL Administration for System Administrators
PostgreSQL Administration for System AdministratorsCommand Prompt., Inc
 
Apache Hadoop Security - Ranger
Apache Hadoop Security - RangerApache Hadoop Security - Ranger
Apache Hadoop Security - RangerIsheeta Sanghi
 
Apache Kafka’s Transactions in the Wild! Developing an exactly-once KafkaSink...
Apache Kafka’s Transactions in the Wild! Developing an exactly-once KafkaSink...Apache Kafka’s Transactions in the Wild! Developing an exactly-once KafkaSink...
Apache Kafka’s Transactions in the Wild! Developing an exactly-once KafkaSink...HostedbyConfluent
 
Data Security at Scale through Spark and Parquet Encryption
Data Security at Scale through Spark and Parquet EncryptionData Security at Scale through Spark and Parquet Encryption
Data Security at Scale through Spark and Parquet EncryptionDatabricks
 
InfluxDB IOx Tech Talks: Intro to the InfluxDB IOx Read Buffer - A Read-Optim...
InfluxDB IOx Tech Talks: Intro to the InfluxDB IOx Read Buffer - A Read-Optim...InfluxDB IOx Tech Talks: Intro to the InfluxDB IOx Read Buffer - A Read-Optim...
InfluxDB IOx Tech Talks: Intro to the InfluxDB IOx Read Buffer - A Read-Optim...InfluxData
 
Autovacuum, explained for engineers, new improved version PGConf.eu 2015 Vienna
Autovacuum, explained for engineers, new improved version PGConf.eu 2015 ViennaAutovacuum, explained for engineers, new improved version PGConf.eu 2015 Vienna
Autovacuum, explained for engineers, new improved version PGConf.eu 2015 ViennaPostgreSQL-Consulting
 
Solving PostgreSQL wicked problems
Solving PostgreSQL wicked problemsSolving PostgreSQL wicked problems
Solving PostgreSQL wicked problemsAlexander Korotkov
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_TutorialVibhor Kumar
 
Sharding Methods for MongoDB
Sharding Methods for MongoDBSharding Methods for MongoDB
Sharding Methods for MongoDBMongoDB
 
InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...
InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...
InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...InfluxData
 
Apache Spark on Kubernetes入門(Open Source Conference 2021 Online Hiroshima 発表資料)
Apache Spark on Kubernetes入門(Open Source Conference 2021 Online Hiroshima 発表資料)Apache Spark on Kubernetes入門(Open Source Conference 2021 Online Hiroshima 発表資料)
Apache Spark on Kubernetes入門(Open Source Conference 2021 Online Hiroshima 発表資料)NTT DATA Technology & Innovation
 
PostgreSQL HA
PostgreSQL HAPostgreSQL HA
PostgreSQL HAharoonm
 
Advanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona ServerAdvanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona ServerSeveralnines
 
Accelerate and Scale Big Data Analytics with Disaggregated Compute and Storage
Accelerate and Scale Big Data Analytics with Disaggregated Compute and StorageAccelerate and Scale Big Data Analytics with Disaggregated Compute and Storage
Accelerate and Scale Big Data Analytics with Disaggregated Compute and StorageAlluxio, Inc.
 

More Related Content

What's hot

Optimizing Performance in Rust for Low-Latency Database Drivers
Optimizing Performance in Rust for Low-Latency Database DriversOptimizing Performance in Rust for Low-Latency Database Drivers
Optimizing Performance in Rust for Low-Latency Database DriversScyllaDB
 
DB Time, Average Active Sessions, and ASH Math - Oracle performance fundamentals
DB Time, Average Active Sessions, and ASH Math - Oracle performance fundamentalsDB Time, Average Active Sessions, and ASH Math - Oracle performance fundamentals
DB Time, Average Active Sessions, and ASH Math - Oracle performance fundamentalsJohn Beresniewicz
 
The Apache Spark File Format Ecosystem
The Apache Spark File Format EcosystemThe Apache Spark File Format Ecosystem
The Apache Spark File Format EcosystemDatabricks
 
Mastering PostgreSQL Administration
Mastering PostgreSQL AdministrationMastering PostgreSQL Administration
Mastering PostgreSQL AdministrationEDB
 
Linux performance tuning & stabilization tips (mysqlconf2010)
Linux performance tuning & stabilization tips (mysqlconf2010)Linux performance tuning & stabilization tips (mysqlconf2010)
Linux performance tuning & stabilization tips (mysqlconf2010)Yoshinori Matsunobu
 
Redo log improvements MYSQL 8.0
Redo log improvements MYSQL 8.0Redo log improvements MYSQL 8.0
Redo log improvements MYSQL 8.0Mydbops
 
Deep Dive on ClickHouse Sharding and Replication-2202-09-22.pdf
Deep Dive on ClickHouse Sharding and Replication-2202-09-22.pdfDeep Dive on ClickHouse Sharding and Replication-2202-09-22.pdf
Deep Dive on ClickHouse Sharding and Replication-2202-09-22.pdfAltinity Ltd
 
PostgreSQL Administration for System Administrators
PostgreSQL Administration for System AdministratorsPostgreSQL Administration for System Administrators
PostgreSQL Administration for System AdministratorsCommand Prompt., Inc
 
Apache Hadoop Security - Ranger
Apache Hadoop Security - RangerApache Hadoop Security - Ranger
Apache Hadoop Security - RangerIsheeta Sanghi
 
Apache Kafka’s Transactions in the Wild! Developing an exactly-once KafkaSink...
Apache Kafka’s Transactions in the Wild! Developing an exactly-once KafkaSink...Apache Kafka’s Transactions in the Wild! Developing an exactly-once KafkaSink...
Apache Kafka’s Transactions in the Wild! Developing an exactly-once KafkaSink...HostedbyConfluent
 
Data Security at Scale through Spark and Parquet Encryption
Data Security at Scale through Spark and Parquet EncryptionData Security at Scale through Spark and Parquet Encryption
Data Security at Scale through Spark and Parquet EncryptionDatabricks
 
InfluxDB IOx Tech Talks: Intro to the InfluxDB IOx Read Buffer - A Read-Optim...
InfluxDB IOx Tech Talks: Intro to the InfluxDB IOx Read Buffer - A Read-Optim...InfluxDB IOx Tech Talks: Intro to the InfluxDB IOx Read Buffer - A Read-Optim...
InfluxDB IOx Tech Talks: Intro to the InfluxDB IOx Read Buffer - A Read-Optim...InfluxData
 
Autovacuum, explained for engineers, new improved version PGConf.eu 2015 Vienna
Autovacuum, explained for engineers, new improved version PGConf.eu 2015 ViennaAutovacuum, explained for engineers, new improved version PGConf.eu 2015 Vienna
Autovacuum, explained for engineers, new improved version PGConf.eu 2015 ViennaPostgreSQL-Consulting
 
Solving PostgreSQL wicked problems
Solving PostgreSQL wicked problemsSolving PostgreSQL wicked problems
Solving PostgreSQL wicked problemsAlexander Korotkov
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_TutorialVibhor Kumar
 
Sharding Methods for MongoDB
Sharding Methods for MongoDBSharding Methods for MongoDB
Sharding Methods for MongoDBMongoDB
 
InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...
InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...
InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...InfluxData
 
Apache Spark on Kubernetes入門(Open Source Conference 2021 Online Hiroshima 発表資料)
Apache Spark on Kubernetes入門(Open Source Conference 2021 Online Hiroshima 発表資料)Apache Spark on Kubernetes入門(Open Source Conference 2021 Online Hiroshima 発表資料)
Apache Spark on Kubernetes入門(Open Source Conference 2021 Online Hiroshima 発表資料)NTT DATA Technology & Innovation
 
PostgreSQL HA
PostgreSQL HAPostgreSQL HA
PostgreSQL HAharoonm
 

What's hot (20)

Optimizing Performance in Rust for Low-Latency Database Drivers
Optimizing Performance in Rust for Low-Latency Database DriversOptimizing Performance in Rust for Low-Latency Database Drivers
Optimizing Performance in Rust for Low-Latency Database Drivers
 
DB Time, Average Active Sessions, and ASH Math - Oracle performance fundamentals
DB Time, Average Active Sessions, and ASH Math - Oracle performance fundamentalsDB Time, Average Active Sessions, and ASH Math - Oracle performance fundamentals
DB Time, Average Active Sessions, and ASH Math - Oracle performance fundamentals
 
The Apache Spark File Format Ecosystem
The Apache Spark File Format EcosystemThe Apache Spark File Format Ecosystem
The Apache Spark File Format Ecosystem
 
Mastering PostgreSQL Administration
Mastering PostgreSQL AdministrationMastering PostgreSQL Administration
Mastering PostgreSQL Administration
 
Linux performance tuning & stabilization tips (mysqlconf2010)
Linux performance tuning & stabilization tips (mysqlconf2010)Linux performance tuning & stabilization tips (mysqlconf2010)
Linux performance tuning & stabilization tips (mysqlconf2010)
 
PostgreSQL and RAM usage
PostgreSQL and RAM usagePostgreSQL and RAM usage
PostgreSQL and RAM usage
 
Redo log improvements MYSQL 8.0
Redo log improvements MYSQL 8.0Redo log improvements MYSQL 8.0
Redo log improvements MYSQL 8.0
 
Deep Dive on ClickHouse Sharding and Replication-2202-09-22.pdf
Deep Dive on ClickHouse Sharding and Replication-2202-09-22.pdfDeep Dive on ClickHouse Sharding and Replication-2202-09-22.pdf
Deep Dive on ClickHouse Sharding and Replication-2202-09-22.pdf
 
PostgreSQL Administration for System Administrators
PostgreSQL Administration for System AdministratorsPostgreSQL Administration for System Administrators
PostgreSQL Administration for System Administrators
 
Apache Hadoop Security - Ranger
Apache Hadoop Security - RangerApache Hadoop Security - Ranger
Apache Hadoop Security - Ranger
 
Apache Kafka’s Transactions in the Wild! Developing an exactly-once KafkaSink...
Apache Kafka’s Transactions in the Wild! Developing an exactly-once KafkaSink...Apache Kafka’s Transactions in the Wild! Developing an exactly-once KafkaSink...
Apache Kafka’s Transactions in the Wild! Developing an exactly-once KafkaSink...
 
Data Security at Scale through Spark and Parquet Encryption
Data Security at Scale through Spark and Parquet EncryptionData Security at Scale through Spark and Parquet Encryption
Data Security at Scale through Spark and Parquet Encryption
 
InfluxDB IOx Tech Talks: Intro to the InfluxDB IOx Read Buffer - A Read-Optim...
InfluxDB IOx Tech Talks: Intro to the InfluxDB IOx Read Buffer - A Read-Optim...InfluxDB IOx Tech Talks: Intro to the InfluxDB IOx Read Buffer - A Read-Optim...
InfluxDB IOx Tech Talks: Intro to the InfluxDB IOx Read Buffer - A Read-Optim...
 
Autovacuum, explained for engineers, new improved version PGConf.eu 2015 Vienna
Autovacuum, explained for engineers, new improved version PGConf.eu 2015 ViennaAutovacuum, explained for engineers, new improved version PGConf.eu 2015 Vienna
Autovacuum, explained for engineers, new improved version PGConf.eu 2015 Vienna
 
Solving PostgreSQL wicked problems
Solving PostgreSQL wicked problemsSolving PostgreSQL wicked problems
Solving PostgreSQL wicked problems
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_Tutorial
 
Sharding Methods for MongoDB
Sharding Methods for MongoDBSharding Methods for MongoDB
Sharding Methods for MongoDB
 
InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...
InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...
InfluxDB IOx Tech Talks: The Impossible Dream: Easy-to-Use, Super Fast Softw...
 
Apache Spark on Kubernetes入門(Open Source Conference 2021 Online Hiroshima 発表資料)
Apache Spark on Kubernetes入門(Open Source Conference 2021 Online Hiroshima 発表資料)Apache Spark on Kubernetes入門(Open Source Conference 2021 Online Hiroshima 発表資料)
Apache Spark on Kubernetes入門(Open Source Conference 2021 Online Hiroshima 発表資料)
 
PostgreSQL HA
PostgreSQL HAPostgreSQL HA
PostgreSQL HA
 

Similar to Transparent Data Encryption in PostgreSQL and Integration with Key Management Service

Advanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona ServerAdvanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona ServerSeveralnines
 
Accelerate and Scale Big Data Analytics with Disaggregated Compute and Storage
Accelerate and Scale Big Data Analytics with Disaggregated Compute and StorageAccelerate and Scale Big Data Analytics with Disaggregated Compute and Storage
Accelerate and Scale Big Data Analytics with Disaggregated Compute and StorageAlluxio, Inc.
 
Key Note Session IDUG DB2 Seminar, 16th April London - Julian Stuhler .Trito...
Key Note Session IDUG DB2 Seminar, 16th April London - Julian Stuhler .Trito...Key Note Session IDUG DB2 Seminar, 16th April London - Julian Stuhler .Trito...
Key Note Session IDUG DB2 Seminar, 16th April London - Julian Stuhler .Trito...Surekha Parekh
 
Denver Big Data Analytics Day
Denver Big Data Analytics DayDenver Big Data Analytics Day
Denver Big Data Analytics DayZivaro Inc
 
MySQL Data Encryption at Rest
MySQL Data Encryption at RestMySQL Data Encryption at Rest
MySQL Data Encryption at RestMydbops
 
Why Disk Level Encryption is Not Enough for Your IBM i
Why Disk Level Encryption is Not Enough for Your IBM i Why Disk Level Encryption is Not Enough for Your IBM i
Why Disk Level Encryption is Not Enough for Your IBM i Precisely
 
A Time Traveller's Guide to DB2: Technology Themes for 2014 and Beyond
A Time Traveller's Guide to DB2: Technology Themes for 2014 and BeyondA Time Traveller's Guide to DB2: Technology Themes for 2014 and Beyond
A Time Traveller's Guide to DB2: Technology Themes for 2014 and BeyondLaura Hood
 
NVMe and Flash – Make Your Storage Great Again!
NVMe and Flash – Make Your Storage Great Again!NVMe and Flash – Make Your Storage Great Again!
NVMe and Flash – Make Your Storage Great Again!DataCore Software
 
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptxEncrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptxNeo4j
 
CSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoCSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoNCCOMMS
 
Oracle Performance On Linux X86 systems
Oracle Performance On Linux X86 systems Oracle Performance On Linux X86 systems
Oracle Performance On Linux X86 systems Baruch Osoveskiy
 
Yashi dealer meeting settembre 2016 tecnologie xeon intel italia
Yashi dealer meeting settembre 2016 tecnologie xeon intel italiaYashi dealer meeting settembre 2016 tecnologie xeon intel italia
Yashi dealer meeting settembre 2016 tecnologie xeon intel italiaYashi Italia
 
NGENSTOR_ODA_P2V_V5
NGENSTOR_ODA_P2V_V5NGENSTOR_ODA_P2V_V5
NGENSTOR_ODA_P2V_V5UniFabric
 
[아이펀팩토리] 2017 NDCP
[아이펀팩토리] 2017 NDCP [아이펀팩토리] 2017 NDCP
[아이펀팩토리] 2017 NDCP iFunFactory Inc.
 
Create a Data Encryption Strategy using ADE
Create a Data Encryption Strategy using ADECreate a Data Encryption Strategy using ADE
Create a Data Encryption Strategy using ADERocket Software
 
DAOS - Scale-Out Software-Defined Storage for HPC/Big Data/AI Convergence
DAOS - Scale-Out Software-Defined Storage for HPC/Big Data/AI ConvergenceDAOS - Scale-Out Software-Defined Storage for HPC/Big Data/AI Convergence
DAOS - Scale-Out Software-Defined Storage for HPC/Big Data/AI Convergenceinside-BigData.com
 

Similar to Transparent Data Encryption in PostgreSQL and Integration with Key Management Service (20)

Advanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona ServerAdvanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona Server
 
Accelerate and Scale Big Data Analytics with Disaggregated Compute and Storage
Accelerate and Scale Big Data Analytics with Disaggregated Compute and StorageAccelerate and Scale Big Data Analytics with Disaggregated Compute and Storage
Accelerate and Scale Big Data Analytics with Disaggregated Compute and Storage
 
Key Note Session IDUG DB2 Seminar, 16th April London - Julian Stuhler .Trito...
Key Note Session IDUG DB2 Seminar, 16th April London - Julian Stuhler .Trito...Key Note Session IDUG DB2 Seminar, 16th April London - Julian Stuhler .Trito...
Key Note Session IDUG DB2 Seminar, 16th April London - Julian Stuhler .Trito...
 
Denver Big Data Analytics Day
Denver Big Data Analytics DayDenver Big Data Analytics Day
Denver Big Data Analytics Day
 
Oracle Storage a ochrana dat
Oracle Storage a ochrana datOracle Storage a ochrana dat
Oracle Storage a ochrana dat
 
MySQL Data Encryption at Rest
MySQL Data Encryption at RestMySQL Data Encryption at Rest
MySQL Data Encryption at Rest
 
Why Disk Level Encryption is Not Enough for Your IBM i
Why Disk Level Encryption is Not Enough for Your IBM i Why Disk Level Encryption is Not Enough for Your IBM i
Why Disk Level Encryption is Not Enough for Your IBM i
 
A Time Traveller's Guide to DB2: Technology Themes for 2014 and Beyond
A Time Traveller's Guide to DB2: Technology Themes for 2014 and BeyondA Time Traveller's Guide to DB2: Technology Themes for 2014 and Beyond
A Time Traveller's Guide to DB2: Technology Themes for 2014 and Beyond
 
NVMe and Flash – Make Your Storage Great Again!
NVMe and Flash – Make Your Storage Great Again!NVMe and Flash – Make Your Storage Great Again!
NVMe and Flash – Make Your Storage Great Again!
 
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptxEncrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
 
CSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoCSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami Laiho
 
Oracle Performance On Linux X86 systems
Oracle Performance On Linux X86 systems Oracle Performance On Linux X86 systems
Oracle Performance On Linux X86 systems
 
Oracle SPARC T7 a M7 servery
Oracle SPARC T7 a M7 serveryOracle SPARC T7 a M7 servery
Oracle SPARC T7 a M7 servery
 
Yashi dealer meeting settembre 2016 tecnologie xeon intel italia
Yashi dealer meeting settembre 2016 tecnologie xeon intel italiaYashi dealer meeting settembre 2016 tecnologie xeon intel italia
Yashi dealer meeting settembre 2016 tecnologie xeon intel italia
 
Galaxy Big Data with MariaDB
Galaxy Big Data with MariaDBGalaxy Big Data with MariaDB
Galaxy Big Data with MariaDB
 
Zsq03116usen 02
Zsq03116usen 02Zsq03116usen 02
Zsq03116usen 02
 
NGENSTOR_ODA_P2V_V5
NGENSTOR_ODA_P2V_V5NGENSTOR_ODA_P2V_V5
NGENSTOR_ODA_P2V_V5
 
[아이펀팩토리] 2017 NDCP
[아이펀팩토리] 2017 NDCP [아이펀팩토리] 2017 NDCP
[아이펀팩토리] 2017 NDCP
 
Create a Data Encryption Strategy using ADE
Create a Data Encryption Strategy using ADECreate a Data Encryption Strategy using ADE
Create a Data Encryption Strategy using ADE
 
DAOS - Scale-Out Software-Defined Storage for HPC/Big Data/AI Convergence
DAOS - Scale-Out Software-Defined Storage for HPC/Big Data/AI ConvergenceDAOS - Scale-Out Software-Defined Storage for HPC/Big Data/AI Convergence
DAOS - Scale-Out Software-Defined Storage for HPC/Big Data/AI Convergence
 

More from Masahiko Sawada

PostgreSQL 15の新機能を徹底解説
PostgreSQL 15の新機能を徹底解説PostgreSQL 15の新機能を徹底解説
PostgreSQL 15の新機能を徹底解説Masahiko Sawada
 
行ロックと「LOG: process 12345 still waiting for ShareLock on transaction 710 afte...
行ロックと「LOG: process 12345 still waiting for ShareLock on transaction 710 afte...行ロックと「LOG: process 12345 still waiting for ShareLock on transaction 710 afte...
行ロックと「LOG: process 12345 still waiting for ShareLock on transaction 710 afte...Masahiko Sawada
 
PostgreSQL 15 開発最新情報
PostgreSQL 15 開発最新情報PostgreSQL 15 開発最新情報
PostgreSQL 15 開発最新情報Masahiko Sawada
 
OSS活動のやりがいとそれから得たもの - PostgreSQLコミュニティにて -
OSS活動のやりがいとそれから得たもの - PostgreSQLコミュニティにて -OSS活動のやりがいとそれから得たもの - PostgreSQLコミュニティにて -
OSS活動のやりがいとそれから得たもの - PostgreSQLコミュニティにて -Masahiko Sawada
 
Bloat and Fragmentation in PostgreSQL
Bloat and Fragmentation in PostgreSQLBloat and Fragmentation in PostgreSQL
Bloat and Fragmentation in PostgreSQLMasahiko Sawada
 
Database Encryption and Key Management for PostgreSQL - Principles and Consid...
Database Encryption and Key Management for PostgreSQL - Principles and Consid...Database Encryption and Key Management for PostgreSQL - Principles and Consid...
Database Encryption and Key Management for PostgreSQL - Principles and Consid...Masahiko Sawada
 
今秋リリース予定のPostgreSQL11を徹底解説
今秋リリース予定のPostgreSQL11を徹底解説今秋リリース予定のPostgreSQL11を徹底解説
今秋リリース予定のPostgreSQL11を徹底解説Masahiko Sawada
 
Vacuum more efficient than ever
Vacuum more efficient than everVacuum more efficient than ever
Vacuum more efficient than everMasahiko Sawada
 
アーキテクチャから理解するPostgreSQLのレプリケーション
アーキテクチャから理解するPostgreSQLのレプリケーションアーキテクチャから理解するPostgreSQLのレプリケーション
アーキテクチャから理解するPostgreSQLのレプリケーションMasahiko Sawada
 
PostgreSQLでスケールアウト
PostgreSQLでスケールアウトPostgreSQLでスケールアウト
PostgreSQLでスケールアウトMasahiko Sawada
 
OSS 開発ってどうやっているの? ~ PostgreSQL の現場から~
OSS 開発ってどうやっているの? ~ PostgreSQL の現場から~OSS 開発ってどうやっているの? ~ PostgreSQL の現場から~
OSS 開発ってどうやっているの? ~ PostgreSQL の現場から~Masahiko Sawada
 
PostgreSQL10徹底解説
PostgreSQL10徹底解説PostgreSQL10徹底解説
PostgreSQL10徹底解説Masahiko Sawada
 
FDW-based Sharding Update and Future
FDW-based Sharding Update and FutureFDW-based Sharding Update and Future
FDW-based Sharding Update and FutureMasahiko Sawada
 
What’s new in 9.6, by PostgreSQL contributor
What’s new in 9.6, by PostgreSQL contributorWhat’s new in 9.6, by PostgreSQL contributor
What’s new in 9.6, by PostgreSQL contributorMasahiko Sawada
 
PostgreSQL 9.6 新機能紹介
PostgreSQL 9.6 新機能紹介PostgreSQL 9.6 新機能紹介
PostgreSQL 9.6 新機能紹介Masahiko Sawada
 
pg_bigmと類似度検索
pg_bigmと類似度検索pg_bigmと類似度検索
pg_bigmと類似度検索Masahiko Sawada
 

More from Masahiko Sawada (20)

PostgreSQL 15の新機能を徹底解説
PostgreSQL 15の新機能を徹底解説PostgreSQL 15の新機能を徹底解説
PostgreSQL 15の新機能を徹底解説
 
行ロックと「LOG: process 12345 still waiting for ShareLock on transaction 710 afte...
行ロックと「LOG: process 12345 still waiting for ShareLock on transaction 710 afte...行ロックと「LOG: process 12345 still waiting for ShareLock on transaction 710 afte...
行ロックと「LOG: process 12345 still waiting for ShareLock on transaction 710 afte...
 
PostgreSQL 15 開発最新情報
PostgreSQL 15 開発最新情報PostgreSQL 15 開発最新情報
PostgreSQL 15 開発最新情報
 
Vacuum徹底解説
Vacuum徹底解説Vacuum徹底解説
Vacuum徹底解説
 
PostgreSQL 12の話
PostgreSQL 12の話PostgreSQL 12の話
PostgreSQL 12の話
 
OSS活動のやりがいとそれから得たもの - PostgreSQLコミュニティにて -
OSS活動のやりがいとそれから得たもの - PostgreSQLコミュニティにて -OSS活動のやりがいとそれから得たもの - PostgreSQLコミュニティにて -
OSS活動のやりがいとそれから得たもの - PostgreSQLコミュニティにて -
 
Bloat and Fragmentation in PostgreSQL
Bloat and Fragmentation in PostgreSQLBloat and Fragmentation in PostgreSQL
Bloat and Fragmentation in PostgreSQL
 
Database Encryption and Key Management for PostgreSQL - Principles and Consid...
Database Encryption and Key Management for PostgreSQL - Principles and Consid...Database Encryption and Key Management for PostgreSQL - Principles and Consid...
Database Encryption and Key Management for PostgreSQL - Principles and Consid...
 
今秋リリース予定のPostgreSQL11を徹底解説
今秋リリース予定のPostgreSQL11を徹底解説今秋リリース予定のPostgreSQL11を徹底解説
今秋リリース予定のPostgreSQL11を徹底解説
 
Vacuum more efficient than ever
Vacuum more efficient than everVacuum more efficient than ever
Vacuum more efficient than ever
 
Vacuumとzheap
VacuumとzheapVacuumとzheap
Vacuumとzheap
 
アーキテクチャから理解するPostgreSQLのレプリケーション
アーキテクチャから理解するPostgreSQLのレプリケーションアーキテクチャから理解するPostgreSQLのレプリケーション
アーキテクチャから理解するPostgreSQLのレプリケーション
 
Parallel Vacuum
Parallel VacuumParallel Vacuum
Parallel Vacuum
 
PostgreSQLでスケールアウト
PostgreSQLでスケールアウトPostgreSQLでスケールアウト
PostgreSQLでスケールアウト
 
OSS 開発ってどうやっているの? ~ PostgreSQL の現場から~
OSS 開発ってどうやっているの? ~ PostgreSQL の現場から~OSS 開発ってどうやっているの? ~ PostgreSQL の現場から~
OSS 開発ってどうやっているの? ~ PostgreSQL の現場から~
 
PostgreSQL10徹底解説
PostgreSQL10徹底解説PostgreSQL10徹底解説
PostgreSQL10徹底解説
 
FDW-based Sharding Update and Future
FDW-based Sharding Update and FutureFDW-based Sharding Update and Future
FDW-based Sharding Update and Future
 
What’s new in 9.6, by PostgreSQL contributor
What’s new in 9.6, by PostgreSQL contributorWhat’s new in 9.6, by PostgreSQL contributor
What’s new in 9.6, by PostgreSQL contributor
 
PostgreSQL 9.6 新機能紹介
PostgreSQL 9.6 新機能紹介PostgreSQL 9.6 新機能紹介
PostgreSQL 9.6 新機能紹介
 
pg_bigmと類似度検索
pg_bigmと類似度検索pg_bigmと類似度検索
pg_bigmと類似度検索
 

Recently uploaded

PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfkalichargn70th171
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 

Recently uploaded (20)

PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 

Transparent Data Encryption in PostgreSQL and Integration with Key Management Service

  • 1. Copyright©2019 NTT Corp. All Rights Reserved. ,
  • 2. Copyright©2019 NTT Corp. All Rights Reserved. • Database and Threats • Data at rest Encryption • Transparent data encryption • Transparent data encryption in PostgreSQL • Key rotation • Key Management • Integration of PostgreSQL with key management system • Conclusion
  • 3. Copyright©2019 NTT Corp. All Rights Reserved.
  • 4. Copyright©2019 NTT Corp. All Rights Reserved. • Database servers are often the primary target of the following attacks • Privilege abuse • Database SQL injections attacks • Storage media theft • Eavesdropping attacks between client and server • etc. 44 Eavesdropping attacks 4 4
  • 5. Copyright©2019 NTT Corp. All Rights Reserved. • Reason to protect database • Databases store valuable and sensitive data, some leakage also causes a high risk • Essential data protection standards and regulations for businesses • PCI DSS, GDPR, HIPPA etc. Various data protection standards and regulations require data encryption
  • 6. Copyright©2019 NTT Corp. All Rights Reserved.
  • 7. Copyright©2019 NTT Corp. All Rights Reserved. • Data at rest • Backup files and database cluster files stored in physical storage • Measures against threats to data at rest in PostgreSQL • Data encryption using pgcrypto or Full disk encryption However, using pgcrypto or full disk encryption does not meet some requirements Data is secure ! Data leak Threat of theft occurred Database storage Database storage User data stored encrypted User data stored non-encrypted
  • 8. Copyright©2019 NTT Corp. All Rights Reserved. • Minimize performance degradation • Using pgcrypto degrades application program performance • Platform-independent • Minimize application program development cost • Secure encryption key management • Periodic key rotation
  • 9. Copyright©2019 NTT Corp. All Rights Reserved. • Minimize performance degradation • Platform-independent • Using full disk encryption depends on platforms • Minimize application program development cost • Secure encryption key management • Periodic key rotation
  • 10. Copyright©2019 NTT Corp. All Rights Reserved. • Minimize performance degradation • Platform-independent • Minimize application program development cost • Using pgcrypto requires many application program modifications • Secure encryption key management • Periodic key rotation
  • 11. Copyright©2019 NTT Corp. All Rights Reserved. • Many modifications of the application program source code for areas(Tables) where encryption is required • Regression testing required after source code modification • Encryption supports increase time and labor costs =# INSERT INTO card_info ( user_name, card_number) VALUES ( ‘MOON INSUNG’, ‘1234-2345-3456-4567’ ); =# INSERT INTO card_info ( user_name, card_number) VALUES ( ‘MOON INSUNG’, encrypt (‘1234-2345-3456-4567’, 'KEY_VALUE', ‘aes-cbc’) ); SQL statement before encryption SQL statement after encryption using pgcrypto
  • 12. Copyright©2019 NTT Corp. All Rights Reserved. • Minimize performance degradation • Platform-independent • Minimize application program development cost • Secure encryption key management • pgcrypto doesn't provide secure encryption key management facilities out-of-the-box • Periodic key rotation
  • 13. Copyright©2019 NTT Corp. All Rights Reserved. • If encryption key is leaked, the encrypted data at rest cannot be protected from threats of malicious access • Storing encrypted data and its key in the same place makes the data encryption meaningless
  • 14. Copyright©2019 NTT Corp. All Rights Reserved. • Key management in a separate secure place for the encryption keys Database storage Encrypted data Threat of theft occurred Separate location Secure Place Data is secure
  • 15. Copyright©2019 NTT Corp. All Rights Reserved. • Minimize performance degradation • Platform-independent • Minimize application program development cost • Secure encryption key management • Periodic key rotation • Reduced performance due to re-encryption when rotating keys Database storage Encrypted data Decryption current key Database storage Non- encrypted data Database storage Encrypted dataEncryption New key Performance degradation due to re-encryption and data unavailability
  • 16. Copyright©2019 NTT Corp. All Rights Reserved. • Requirements related to data encryption • Minimize performance degradation • Platform-independent • Minimize application program development cost • Secure encryption key management • Periodic key rotation • Difficult to satisfy these requirements related to data encryption using pgcrypto and full disk encryption in PostgreSQL In the following slides, we describe the result of our efforts to address these challenges
  • 17. Copyright©2019 NTT Corp. All Rights Reserved.
  • 18. Copyright©2019 NTT Corp. All Rights Reserved. 1. Per tablespace encryption 2. Transparent encryption at a layer between PostgreSQL’s shared buffer and OS 3. 2-tier key architecture 4. WAL encryption 5. System catalogs encryption 6. Temporary files encryption - - -
  • 19. Copyright©2019 NTT Corp. All Rights Reserved. • Create encryption-enabled tablespaces • Tables and indexes on the tablespace are transparently encrypted • Less modification of DDLs . =# CREATE TABLESPACE enc_tblsp LOCATION ... WITH (eyncryption_algorithm = ‘aes128’); =# CREATE TABLE card (...) TABLESPACE enc_tblsp; =# SET default_tablespace TO enc_tblsp; =# CREATE TABLE card2 (..);
  • 20. Copyright©2019 NTT Corp. All Rights Reserved. • Two possible solutions for now • Using pgcrypto with views and triggers • Full disk encryption (FDE) • Our solution is that encryption and decryption are performed when writing/reading to/from disk
  • 21. Copyright©2019 NTT Corp. All Rights Reserved. / / / postgres Shared Buffer Disk postgres postgres Page Cache (Kernel) raw block data
  • 22. Copyright©2019 NTT Corp. All Rights Reserved. / / / postgres Disk postgres postgres Page Cache (Kernel) raw block data Shared Buffer Backend processes read pages from the shared buffers and modify them.
  • 23. Copyright©2019 NTT Corp. All Rights Reserved. / / / postgres Disk postgres postgres Page Cache (Kernel) raw block data Shared Buffer bgwriter periodically writes the dirty pages out to the kernel page cache.
  • 24. Copyright©2019 NTT Corp. All Rights Reserved. / / / postgres Disk postgres postgres raw block data Shared Buffer Page Cache (Kernel) Dirty pages are flushed to the disk by the checkpointer or the kernel.
  • 25. Copyright©2019 NTT Corp. All Rights Reserved. - postgres Shared Buffer Disk Pros: • Protect data even on shared buffer Cons: • Encryption and decryption are needed whenever accessing buffers on shared buffer • Different backends encrypt/decrypt the same buffer postgres postgres Page Cache (Kernel) raw data encrypted data
  • 26. Copyright©2019 NTT Corp. All Rights Reserved. - . postgres Shared Buffer Disk Pros: • Less execution of encryption and decryption Cons: • Platform dependence • Cannot protect data from peeking by logged-in OS user postgres postgres Page Cache (Kernel) raw data encrypted data
  • 27. Copyright©2019 NTT Corp. All Rights Reserved. 3 ) ) ) -( 2 .- .3 . 32 .- postgres Shared Buffer Disk Pros: • Relatively less execution of encryption and decryption • Prevent peeking file on disk Cons: • Possibly more encryption and decryption are performed when database size > shared buffer postgres postgres Page Cache (Kernel) raw data encrypted data
  • 28. Copyright©2019 NTT Corp. All Rights Reserved. Transparence Performance impacts Protection against threats 1. Using pgcrypto OK (using views and triggers) High * Disk thefts * Memory dump * Peeking at data on disk 2. Full disk encryption OK Low * Disk thefts 3. Buffer level encryption OK Middle * Disk thefts * Peeking at data on disk
  • 29. Copyright©2019 NTT Corp. All Rights Reserved. • Wrote proof-of-concept code of per tablespaces TDE • Tablespace encryption • Transparent encryption • 2-tier key architecutre • Key rotation • Features the PoC code doesn’t support (for now): • WAL encryption • System catalog encryption • Temporary files encryption
  • 30. Copyright©2019 NTT Corp. All Rights Reserved. • PostgreSQL 11.1 • Vanilla PostgreSQL • PostgreSQL with TDE PoC code • PostgreSQL with pgcrypto • 32GB RAM, 500GB HDD • 6GB shared buffers • Data sets • 5GB (< shared_buffers) • 15GB (> shared_buffers) • Observations • TPS • Response times • Duration: 5min
  • 31. Copyright©2019 NTT Corp. All Rights Reserved. Latency (90%tile): vanilla: 1.98 ms, TDE: 2.01 ms, pgcrypto: 2.28 ms 6000 6500 7000 7500 8000 8500 20 40 60 80 100 120 140 160 180 200 220 240 260 280 300 TPS Duraiton(sec) TPS comparison (R:100,W:3) vanilla tde pgcrypto 8000 8500 9000 9500 10000 10500 11000 10 30 50 70 90 110 130 150 170 190 210 230 250 270 TPS Duration (sec) TPS comparison (R:100) vanilla tde pgcrypto Latency (90%tile): vanilla: 2.32 ms, TDE: 2.45 ms, pgcrypto: 2.66 ms DB size < shared buffers DB size > shared buffers
  • 32. Copyright©2019 NTT Corp. All Rights Reserved. • Master Key and Data Encryption Key • The master key is separated from encrypted data • Stored outside of the database • The data encryption keys are managed by database • Faster key rotation ENCRYPTED DATA Master Key Data Encryption Key Encrypt/Decrypt Encrypt/ Decrypt plain
  • 33. Copyright©2019 NTT Corp. All Rights Reserved. • Master Key and Data Encryption Key • The master key is separated from encrypted data • Stored outside of the database • The data encryption keys are managed by database • Faster key rotation ENCRYPTED DATA Master Key Data Encryption Key Encrypt/Decrypt Encrypt/ Decrypt encry pted plain New Master Key Encrypt/Decrypt
  • 34. Copyright©2019 NTT Corp. All Rights Reserved. • Key rotation always requires re-encrypting data • The 2-tier key architecture requires only key rotation of data encryption keys • 16, 24, 32 bytes key for AES-128, AES-192, AES-256 • One symmetric key per tablespaces
  • 35. Copyright©2019 NTT Corp. All Rights Reserved. • WAL is also the sensitive data • WAL of encrypted relations is encrypted when inserting to the WAL buffer
  • 36. Copyright©2019 NTT Corp. All Rights Reserved. • Two system catalogs could have user sensitive data • pg_statistics • pg_statistics_ext . =# SELECT tablename, attname, histogram_bounds FROM pg_stats WHERE tablename = 'card'; -[ RECORD 1 ]----+----------------------------------------------- tablename | card attname | card_number histogram_bounds | {1102-6674-6045-5459,1606-6441-9374-1335,2507- 2573-1560-9962,3323-3000-4260-1336,4319-9183-6377-7031,6035-9617- 5940-2060,6682-5210-8901-2679,7304-3837-8200-8185,8391-3583-3888- 1725,9091-3895-2466-7845,9970-5910-3522-1423}
  • 37. Copyright©2019 NTT Corp. All Rights Reserved. • Temporary files are written bypassing the shared buffers • base/pgsql_tmp/ • pg_replslots/ . postgres Shared Buffer Disk temp files
  • 38. Copyright©2019 NTT Corp. All Rights Reserved. • Per tablespace, buffer-level transparent encryption • 2-tier key architecture • Encrypt WAL, system catalogs and temporary files • SRLU buffer and fork relations are not encrypted • Pros • Less DDL modification • Less performance impact • Fast key rotation • Cons • Cannot set per users • Cannot prevent attack by malicious super user
  • 39. Copyright©2019 NTT Corp. All Rights Reserved.
  • 40. Copyright©2019 NTT Corp. All Rights Reserved. • Services or systems that are dedicated to robustly manage keys • Usually support some kinds of protocols • KMIP • PKCS#11 • SafeNet KeySecure, Amazon KMS, Oracle KeyVault etc ( )( ( (
  • 41. Copyright©2019 NTT Corp. All Rights Reserved. • Robust key management • User don’t need to worry about key life cycles ENCRYPTED DATA Master Key Data Encryption Keys Get the master key and decrypt/decrypt Encrypt/Decrypt Key Management System PostgreSQL Register the master key Remove an old master key
  • 42. Copyright©2019 NTT Corp. All Rights Reserved. • KMSs support different interfaces and protocols • KMIP, PKCS#11, etc. • Our solution • Pluggable architecture to communicate with various KMSs • Add generic key management APIs • get key, register key, remove key etc.
  • 43. Copyright©2019 NTT Corp. All Rights Reserved. • Encryption key is also important • Integration with KMS frees user from key management • Adding generic key management APIs enable us to communicate with various key management systems
  • 44. Copyright©2019 NTT Corp. All Rights Reserved. • Per tablespace, buffer-level transparent data at rest encryption • Less performance overhead • Encrypt WAL, system catalogs and temporary files as well • 2-tier key architecture • Fast key rotation • Integration with KMSs • More flexible and robust key management
  • 45. Copyright©2019 NTT Corp. All Rights Reserved. 1. Basic components of transparent data encryption • Per tablespace encryption* • 2-tier key architecture* • Key rotation* • System catalog encryption • Temporary file encryption • Fetching the master key by arbitrary commands* 2. WAL encryption 3. Integration with KMSs • Pluggable • Registering key, removing key ... PoC codes has *-marked features
  • 46. Copyright©2019 NTT Corp. All Rights Reserved. !