Encryption
Chapter 48: Data Encryption
Section titled “Chapter 48: Data Encryption”Protecting Data at Rest and in Transit
Section titled “Protecting Data at Rest and in Transit”48.1 Encryption Types
Section titled “48.1 Encryption Types” Encryption in PostgreSQL ========================================================================
┌─────────────────────────────────────────────────────────────────────┐ │ Encryption Layers │ │ │ │ Data at Rest: │ │ ───────────── │ │ • pgcrypto extension - column-level encryption │ │ • Tablespace encryption - OS-level │ │ • Full disk encryption - LUKS, dm-crypt │ │ │ │ Data in Transit: │ │ ─────────────── │ │ • SSL/TLS connections │ │ • Certificate-based authentication │ │ │ │ Password Encryption: │ │ ─────────────────── │ │ • scram-sha-256 (default) │ │ • md5 │ │ │ └─────────────────────────────────────────────────────────────────────┘48.2 Column-Level Encryption
Section titled “48.2 Column-Level Encryption”-- Enable pgcrypto extensionCREATE EXTENSION pgcrypto;
-- Encrypt data using PGPCREATE TABLE sensitive_data ( id SERIAL PRIMARY KEY, ssn_encrypted BYTEA);
-- Encrypt on insertINSERT INTO sensitive_data (ssn_encrypted)VALUES (pgp_sym_encrypt('123-45-6789', 'my_secret_key'));
-- Decrypt on selectSELECT id, pgp_sym_decrypt(ssn_encrypted::bytea, 'my_secret_key') as ssnFROM sensitive_data;
-- Using symmetric key from file-- pgp_sym_encrypt(data, key)48.3 SSL/TLS Configuration
Section titled “48.3 SSL/TLS Configuration”# postgresql.confssl = onssl_cert_file = '/path/to/server.crt'ssl_key_file = '/path/to/server.key'ssl_ca_file = '/path/to/ca.crt'
# Force SSL connections# pg_hba.conf:host all all 0.0.0.0/0 scram-sha-256 hostsslhost all all ::/0 scram-sha-256 hostsslSummary
Section titled “Summary”| Type | Level | Use Case |
|---|---|---|
| pgcrypto | Column | Sensitive data |
| SSL/TLS | Connection | Network security |
| Disk encryption | OS | Full protection |