Baoding-FenShuaJiang
/
Green_GoodERP18_FSJ_Standard
Obserwuj 1
Polub 0
Wiki 捐赠
gooderp18绿色标准版
Nie możesz wybrać więcej, niż 25 tematów Tematy muszą się zaczynać od litery lub cyfry, mogą zawierać myślniki ('-') i mogą mieć do 35 znaków.
Gałąź: master
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z 'master'
${ noResults }
Green_GoodERP18_FSJ_Standard/PostgreSQL/doc/postgresql/html/encryption-options.html

84 lines
7.6KB
Czysty Bezpośredni odnośnik Wina Historia 

  1. <?xml version="1.0" encoding="UTF-8" standalone="no"?>

  2. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>18.8. Encryption Options</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="preventing-server-spoofing.html" title="18.7. Preventing Server Spoofing" /><link rel="next" href="ssl-tcp.html" title="18.9. Secure TCP/IP Connections with SSL" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">18.8. Encryption Options</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="preventing-server-spoofing.html" title="18.7. Preventing Server Spoofing">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="runtime.html" title="Chapter 18. Server Setup and Operation">Up</a></td><th width="60%" align="center">Chapter 18. Server Setup and Operation</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="ssl-tcp.html" title="18.9. Secure TCP/IP Connections with SSL">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="ENCRYPTION-OPTIONS"><div class="titlepage"><div><div><h2 class="title" style="clear: both">18.8. Encryption Options</h2></div></div></div><a id="id-1.6.5.10.2" class="indexterm"></a><p>

  3.    <span class="productname">PostgreSQL</span> offers encryption at several

  4.    levels, and provides flexibility in protecting data from disclosure

  5.    due to database server theft, unscrupulous administrators, and

  6.    insecure networks. Encryption might also be required to secure

  7.    sensitive data such as medical records or financial transactions.

  8.   </p><div class="variablelist"><dl class="variablelist"><dt><span class="term">Password Encryption</span></dt><dd><p>

  9.      Database user passwords are stored as hashes (determined by the setting

  10.      <a class="xref" href="runtime-config-connection.html#GUC-PASSWORD-ENCRYPTION">password_encryption</a>), so the administrator cannot

  11.      determine the actual password assigned to the user. If SCRAM or MD5

  12.      encryption is used for client authentication, the unencrypted password is

  13.      never even temporarily present on the server because the client encrypts

  14.      it before being sent across the network. SCRAM is preferred, because it

  15.      is an Internet standard and is more secure than the PostgreSQL-specific

  16.      MD5 authentication protocol.

  17.     </p></dd><dt><span class="term">Encryption For Specific Columns</span></dt><dd><p>

  18.      The <a class="xref" href="pgcrypto.html" title="F.25. pgcrypto">pgcrypto</a> module allows certain fields to be

  19.      stored encrypted.

  20.      This is useful if only some of the data is sensitive.

  21.      The client supplies the decryption key and the data is decrypted

  22.      on the server and then sent to the client.

  23.     </p><p>

  24.      The decrypted data and the decryption key are present on the

  25.      server for a brief time while it is being decrypted and

  26.      communicated between the client and server. This presents a brief

  27.      moment where the data and keys can be intercepted by someone with

  28.      complete access to the database server, such as the system

  29.      administrator.

  30.     </p></dd><dt><span class="term">Data Partition Encryption</span></dt><dd><p>

  31.      Storage encryption can be performed at the file system level or the

  32.      block level.  Linux file system encryption options include eCryptfs

  33.      and EncFS, while FreeBSD uses PEFS.  Block level or full disk

  34.      encryption options include dm-crypt + LUKS on Linux and GEOM

  35.      modules geli and gbde on FreeBSD.  Many other operating systems

  36.      support this functionality, including Windows.

  37.     </p><p>

  38.      This mechanism prevents unencrypted data from being read from the

  39.      drives if the drives or the entire computer is stolen. This does

  40.      not protect against attacks while the file system is mounted,

  41.      because when mounted, the operating system provides an unencrypted

  42.      view of the data. However, to mount the file system, you need some

  43.      way for the encryption key to be passed to the operating system,

  44.      and sometimes the key is stored somewhere on the host that mounts

  45.      the disk.

  46.     </p></dd><dt><span class="term">Encrypting Data Across A Network</span></dt><dd><p>

  47.       SSL connections encrypt all data sent across the network: the

  48.       password, the queries, and the data returned. The

  49.       <code class="filename">pg_hba.conf</code> file allows administrators to specify

  50.       which hosts can use non-encrypted connections (<code class="literal">host</code>)

  51.       and which require SSL-encrypted connections

  52.       (<code class="literal">hostssl</code>). Also, clients can specify that they

  53.       connect to servers only via SSL.

  54.      </p><p>

  55.       GSSAPI-encrypted connections encrypt all data sent across the network,

  56.       including queries and data returned.  (No password is sent across the

  57.       network.)  The <code class="filename">pg_hba.conf</code> file allows

  58.       administrators to specify which hosts can use non-encrypted connections

  59.       (<code class="literal">host</code>) and which require GSSAPI-encrypted connections

  60.       (<code class="literal">hostgssenc</code>).  Also, clients can specify that they

  61.       connect to servers only on GSSAPI-encrypted connections

  62.       (<code class="literal">gssencmode=require</code>).

  63.      </p><p>

  64.       <span class="application">Stunnel</span> or

  65.       <span class="application">SSH</span> can also be used to encrypt

  66.       transmissions.

  67.      </p></dd><dt><span class="term">SSL Host Authentication</span></dt><dd><p>

  68.      It is possible for both the client and server to provide SSL

  69.      certificates to each other. It takes some extra configuration

  70.      on each side, but this provides stronger verification of identity

  71.      than the mere use of passwords. It prevents a computer from

  72.      pretending to be the server just long enough to read the password

  73.      sent by the client. It also helps prevent <span class="quote">“<span class="quote">man in the middle</span>”</span>

  74.      attacks where a computer between the client and server pretends to

  75.      be the server and reads and passes all data between the client and

  76.      server.

  77.     </p></dd><dt><span class="term">Client-Side Encryption</span></dt><dd><p>

  78.      If the system administrator for the server's machine cannot be trusted,

  79.      it is necessary

  80.      for the client to encrypt the data; this way, unencrypted data

  81.      never appears on the database server. Data is encrypted on the

  82.      client before being sent to the server, and database results have

  83.      to be decrypted on the client before being used.

  84.     </p></dd></dl></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="preventing-server-spoofing.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="runtime.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ssl-tcp.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">18.7. Preventing Server Spoofing </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 18.9. Secure TCP/IP Connections with SSL</td></tr></table></div></body></html>
上海开阖软件有限公司 沪ICP备12045867号-1