0

I have a linux server with a modified PostgreSQL DB which encrypt files at rest, using this guide.

I have installed this modified PostgreSQL on server which its DB files are encrypted at rest. and need the password to decrypt them when db process starts.

Whenever the server starts/restart, specifically when DB process starts, The DB executes a file which needs to print out the password, lets say give_pass.sh with password 1234

cat give_pass.sh

#!/bin/sh 
echo 1234

But I don't want password to be present at server so something like:

#!/bin/sh 
secured_function_that_gives_password

I want to protect the DB files from being exposed in case of a physical theft, so:

  1. Make sure if physical db server is stolen, the password won't be present at server, nor it would be reached from executing give_pass.sh file, obviously to prevent db files from being accessed.
  2. Somehow automate the procedure, meaning if the db process fails, it would be restarted, executing give_pass.sh, and having the password delivered.

Any ideas how I should go about it?- thanks

Roko
  • 1,233
  • 1
  • 11
  • 22
  • not storing the password on the machine won't prevent physical theft. if they have physical access to the machine, its not yours anymore – Daniel A. White Mar 26 '23 at 14:28
  • Edited to clarify that I want to prevent files exposed after physical theft, not the theft itself – Roko Mar 26 '23 at 14:45
  • right but the password for postgres does not encrypt the data. you can copy the datafiles to another box and tell it to use any password you'd like – Daniel A. White Mar 26 '23 at 14:45
  • The DB files are encrypted at rest. and need the password to decrypt them when `db process starts` – Roko Mar 26 '23 at 14:53
  • 1
    You seem to have a security need which exceeds "free help on the internet" territory. You could have give_pass.sh consult some other on-premises server which is in a locked cupboard in a locked cage in a locked room in a locked building and which is bolted to the floor. There are professionals who do this kind of thing, which is not a programming task. – jjanes Mar 26 '23 at 16:27

0 Answers0