How to PostgreSQL Database Encryption

  2. HowTo
  3. PostgreSQL Howtos
  4. How to PostgreSQL Database Encryption
Bilal Shahid Feb 02, 2024
PostgreSQL PostgreSQL Encryption
  1. Introduction to Encryption
  2. PostgreSQL Database Encryption
How to PostgreSQL Database Encryption

This tutorial describes various ways that you can choose to encrypt your data in PostgreSQL.

Introduction to Encryption

Encryption, in simple terms, is a method by which one can secure data. It is altered systematically to conceal the contents and make them unreadable to anyone except the intended users.

It is possible as only intended recipients will have a key to decrypt the data to read it. As a result, any sensitive information will always be concealed.

It is recommended to encrypt data in all cases. However, it is crucial if any sensitive information is being sent or received on an unsecured server or in any other situation where data is threatened.

PostgreSQL Database Encryption

A database can be encrypted on three different layers depending on the requirement. It includes the following:

  • Client application
  • Storage device
  • The database itself

Remember that the self database encryption is often the best form of encryption as it is known to cover most threat models.

We can apply other methods, but the main goal should be protecting the client application. So, here are a few approaches that you can choose from to encrypt your data in PostgreSQL.

System Disk Encryption

As the name suggests, system disk encryption is a process in which disk encryption software/hardware encrypts every bit of data that is saved onto your disk.

It means we could encrypt a user’s data as soon as it is created if the software or hardware is programmed to do so simultaneously.

For this, you won’t have to modify your PostgreSQL setup as your disk is encrypted. An easy way to perform system disk encryption is using a VM in Linux.

Here’s what you need to do:

First, create a temporary VM, which will be a duplicate of your target machine. The target disk can be an existing one, but it is best to create a new one and add your database later.

Regardless of your decision, the target disk must be at least 256MB greater than the source disk. Next, you can follow the instructions given below:

  1. Must mount the target and source disks to the temporary VM.

  2. Connect the VM over a serial port. Must enable a serial port connection to perform this step. You can add serial-port-enable with the value TRUE under metadata to allow for the serial port connection.

  3. Next, you will have to make grub accessible. To do so, use the following command:

    grub2-mkconfig -o/boot/grub2/grub.cfg

    After this, reboot the system, and grub will be accessible on the serial console.

  4. Format the disk to create an unencrypted (boot) and encrypted system. It allows the system to boot grub so the user may enter a key to decrypt data.

    We can do it using the fdisk /dev/sdb command.

  5. Use cryptsetup to encrypt the disk. You can also map a specific portion of the disk that is to be encrypted. Then, you can encrypt your database as long as it exists on this disk.

Additional steps, such as resizing the disk or creating backups, may be done after this.

Transparent Data Encryption

PostgreSQL TDE is a feature that allows a user to perform PostgreSQL encryption for the whole database using cluster encryption. It encrypts while writing to the disk and decrypts while reading from it.

You can perform the following steps during PostgreSQL installation for this to be applied by default.

  • Create a directory for PostgreSQL. The default location is often used.
  • Libraries for bison, readline, flex, zlib, openssl, and crypto need to be installed. You may install additional libraries if required.
  • Install PostgreSQL to your system.
  • Switch to the postgres user using su - postgres.
  • Create an encrypted cluster using -K.

    For example, initdb -D /user/pgsql/xyz -K/user/pgsql/key. Here, user/pgsql/key returns an encryption key.

  • initdb stores the encryption key command to postgresql.conf.

The cluster has been successfully created and will now encrypt your data. When a user runs Postgres, these encrypted clusters will be no different than unencrypted ones.

The only difference is that the data encryption variable will be set.

Encrypting a Specific Section of the Database

With the methods above, the entire database or all databases on PostgreSQL are encrypted. However, you can also encrypt individual databases or even a specific part of a database.

It is best to use an extension such as pgcrypto to accomplish this. Here’s how selective Postgres encryption using pgcrypto works:

  1. Enable the pgcrypto extension using CREATE EXTENSION IF NOT EXISTS pgcrypto.
  2. Generally, the PGP_SYM_ENCRYPT command encrypts data while PGP_SYM_DECRYPT decrypts it.

Here is how you can encrypt and decrypt columns in PostgreSQL.

Insert Encrypted Data Into a Column

INSERT INTO temp (x, y)
VALUES
('xx', PGP_SYM_ENCRYPT('yy', 'key')::text);

Update Data That Is Already Encrypted

UPDATE temp
SET y= PGP_SYM_ENCRYPT('content', 'key')::text
WHERE x= 'xx';

Decrypt Data to Read

SELECT x, PGP_SYM_DECRYPT(y::bytea, 'key') as data
FROM temp WHERE x= 'xx';

That sums up some of the different ways you can encrypt your database depending on your requirements. PostgreSQL encryption may seem difficult at first glance, but it is pretty simple to accomplish.

We hope that we have helped you identify what kind of encryption service works best for you so that your data is always protected.

Author: Bilal Shahid
Bilal Shahid avatar Bilal Shahid avatar

Hello, I am Bilal, a research enthusiast who tends to break and make code from scratch. I dwell deep into the latest issues faced by the developer community and provide answers and different solutions. Apart from that, I am just another normal developer with a laptop, a mug of coffee, some biscuits and a thick spectacle!

GitHub