In an era where your data is your most valuable asset, you need a database that provides two guarantees—the ability to harness that data for your applications and the ability to protect it.
As bad actors get more and more creative in their attempts to steal essential information from enterprises, having a robust data protection strategy is critical, especially for those in highly regulated industries such as finance and government.
Still, no matter your industry, breaches are costly in both revenue and reputation. You need your database management system to ensure you don’t fall prey—and pay the price.
That’s why EDB Postgres offers various encryption options at several different levels and provides flexibility in protecting data from disclosure due to database server theft, unscrupulous administrators and insecure networks.
Some of these encryption options include:
- Transparent Data Encryption (TDE)
- Full Disk Encryption
- File System Encryption
- Column Level Encryption
- Password Storage Encryption
- Data Partition Encryption
- Network-based Password Encryption
- Network-based Data Encryption
- Client-side Encryption
In this blog, we’ll specifically look at Transparent Data Encryption, also known as TDE.
Transparent Data Encryption: The foundation of protecting your data
One of the building blocks of database encryption is TDE. TDE offers encryption at the file level which solves the problem of protecting data at rest (though not data in transit or data in use), encrypting databases both on the hard drive and consequently on backup media. Enterprises typically employ TDE to solve compliance issues such as PCI DSS which require the protection of data at rest. TDE is an optional feature supported by version 15 of EDB Postgres Advanced Server, EDB Postgres Extended Server with the EDB Standard Plan.
In addition, TDE also helps protect private and confidential information by encrypting it so that it cannot be read by anyone without the authority to see it. It uses key management to control who has access to what data. Keys are essentially decoder rings, which allow for encrypted data to be unlocked with a unique key.
In addition, TDE also helps protect private and confidential information by encrypting it so that it cannot be read by anyone without the authority to see it. It uses key management to control who has access to what data. Keys are essentially decoder rings, which allow for encrypted data to be unlocked with a unique key.
Community Postgres does not have TDE, making it a difficult choice for regulated industries and governmental agencies that require PCI compliance or additional data at rest regulation. The introduction of TDE to Postgres makes it a much more viable option for these types of customers.
What is encrypted with TDE?
TDE encrypts the following:
- Files underlying tables, sequences and indexes, including TOAST tables and system catalogs—including all forks. These files are known as data files.
- Write-ahead log (WAL) files
- Temporary files for query processing and database system operation
The following items are not encrypted:
- Metadata internal to operating the database system that doesn't contain user data, such as the transaction status (for example, pg_subtrans and pg_xact).
- The file names and file system structure are in the data directory. That means that the overall size of the database system, the number of databases, the number of tables, their relative sizes, as well as file system metadata such as last access time are all visible without decryption.
- Data in foreign tables, server diagnostic logs, configuration files, etc.
How does TDE work?
TDE prevents unauthorized viewing of data in operating system files on the database server and on backup storage. Data becomes unintelligible for unauthorized users if it's stolen or misplaced.
Data encryption and decryption are managed by the database and do not require application changes or updated client drivers.
EDB Postgres Advanced Server and EDB Postgres Extended Server provide hooks to key management that's external to the database. These hooks allow for simple passphrase encrypt/decrypt or integration with enterprise key management solutions.
Keep your data protected: Know Postgres security best practices
In late 2022, a car rental agency suffered a major data breach, in which hackers were able to exfiltrate 51 columns and 10,000 rows of rental transactions from the agency’s MySQL database via Amazon RDS/EBS snapshots. Contained in these snapshots was a massive amount of personally identifiable information (PII), including names, contact information, marital status and more.
Stories like these are more common than many organizations may like to think—and they affect businesses of all sizes, across all industries, around the world. While not all of these stories may be as dramatic as the aforementioned breach, they all carry consequences—financial, legal and compliance-based.
That’s why you need to be prepared—to understand your Postgres database’s security capabilities and how to effectively deploy them. While TDE is a foundational component of this, it’s just one of many. Renowned for its ranging encryption features, Postgres gives you the power to ensure it’s never your company’s name in the next big data breach headline.
Invest in Postgres. Invest in your security.
Learn more about Postgres’ powerful encryption capabilities in our 2023 white paper, “Security Best Practices for PostgreSQL.”