Security is a big topic today and in the news almost every day. As the database usually holds sensitive data this data must be well protected. In most cases this is done by encrypting critical data inside the database and decrypt only when requested. But this is not all: When a client reads the data it is decrypted inside the database and then send back over the network unencrypted. What do you win with such a setup? The only risk it protects you from is a theft of either your disks or the whole server. Even more important is that all the connections to your database are encrypted so the traffic from and to your database can not be read be someone else. In this post we’ll look at how you can do this with PostgreSQL.<\/p>\n
<\/p>\n
Obviously, for securing the connections to the database by using SSL we’ll need a server certificate. As I am on Linux this can be generated very easy by using openssl<\/a> to create a self signed certificate. Be aware that your PostgreSQL binaries need to be compiled with “–with-openssl” for the following to work. You can check this by using using pg_config<\/a>:<\/p>\n To create a self signed certificate with openssl simple execute the following command:<\/p>\n This creates a new certificate request<\/a> based on the information you provide. The only important point here (for the scope of this post) is that the “Common Name” must match the server name where your PostgreSQL is running on, e.g.:<\/p>\n This created two files in the directory where you executed the command (the first one is the certificate request and the second one is the private key):<\/p>\n If you want your PostgreSQL instance to start automatically you should remove the pass phrase from the generated private key:<\/p>\n The password which is asked for is the one you provided when you generated the certificate request above. The new key is now in “server.key”. Now you can create your certificate:<\/p>\n If everything went well your brand new certificate should be available:<\/p>\n For PostgreSQL to accept the key when it starts up you’ll need to modify the permissions:<\/p>\n Both files (server.key and server.crt) need to be copied to your data directory (you can adjust this by using the ssl_cert_file<\/a> and ssl_key_file<\/a> configuration parameters):<\/p>\n Now you can turn on ssl…<\/p>\n … and restart your instance:<\/p>\n\npostgres@pgbox:\/u01\/app\/postgres\/local\/dmk\/ [PG960] pg_config | grep CONFIGURE\nCONFIGURE = '--prefix=\/u01\/app\/postgres\/product\/96\/db_0' '--exec-prefix=\/u01\/app\/postgres\/product\/96\/db_0' '--bindir=\/u01\/app\/postgres\/product\/96\/db_0\/bin' '--libdir=\/u01\/app\/postgres\/product\/96\/db_0\/lib' '--sysconfdir=\/u01\/app\/postgres\/product\/96\/db_0\/etc' '--includedir=\/u01\/app\/postgres\/product\/96\/db_0\/include' '--datarootdir=\/u01\/app\/postgres\/product\/96\/db_0\/share' '--datadir=\/u01\/app\/postgres\/product\/96\/db_0\/share' '--with-pgport=5432' '--with-perl' '--with-python' '--with-tcl' '--with-openssl' '--with-pam' '--with-ldap' '--with-libxml' '--with-libxslt' '--with-segsize=2' '--with-blocksize=8' '--with-wal-segsize=16' '--with-extra-version= dbi services build'\n<\/pre>\n
\npostgres@pgbox:\/home\/postgres\/ [PG960] openssl req -new -text -out server.req\n<\/pre>\n
\nGenerating a 2048 bit RSA private key\n............................................................................................................................................+++\n..................................................................................................+++\nwriting new private key to 'privkey.pem'\nEnter PEM pass phrase:\nVerifying - Enter PEM pass phrase:\n-----\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCountry Name (2 letter code) [XX]:CH\nState or Province Name (full name) []:BS\nLocality Name (eg, city) [Default City]:Basel\nOrganization Name (eg, company) [Default Company Ltd]:dbi services\nOrganizational Unit Name (eg, section) []:dba\nCommon Name (eg, your name or your server's hostname) []:pgbox\nEmail Address []:xx@xx@com\n\nPlease enter the following 'extra' attributes\nto be sent with your certificate request\nA challenge password []:\nAn optional company name []:\n<\/pre>\n
\n-rw-r--r--. 1 postgres postgres 3519 Sep 9 13:24 server.req\n-rw-r--r--. 1 postgres postgres 1821 Sep 9 13:24 privkey.pem\n<\/pre>\n
\npostgres@pgbox:\/home\/postgres\/ [PG960] openssl rsa -in privkey.pem -out server.key\nEnter pass phrase for privkey.pem:\nwriting RSA key\npostgres@pgbox:\/home\/postgres\/ [PG960] rm privkey.pem\n<\/pre>\n
\npostgres@pgbox:\/home\/postgres\/ [PG960] openssl req -x509 -in server.req -text -key server.key -out server.crt\n<\/pre>\n
\npostgres@pgbox:\/home\/postgres\/ [PG960] ls -l server.crt \n-rw-r--r--. 1 postgres postgres 4473 Sep 9 13:32 server.crt\npostgres@pgbox:\/home\/postgres\/ [PG960] cat server.crt\nCertificate:\n Data:\n Version: 3 (0x2)\n Serial Number: 12528845138836301488 (0xaddf6645ea37a6b0)\n Signature Algorithm: sha256WithRSAEncryption\n Issuer: C=CH, ST=BS, L=Basel, O=dbi services, OU=dba, CN=pgbox\/emailAddress=xx@xx@com\n Validity\n Not Before: Sep 9 11:32:42 2016 GMT\n Not After : Oct 9 11:32:42 2016 GMT\n Subject: C=CH, ST=BS, L=Basel, O=dbi services, OU=dba, CN=pgbox\/emailAddress=xx@xx@com\n Subject Public Key Info:\n Public Key Algorithm: rsaEncryption\n Public-Key: (2048 bit)\n Modulus:\n 00:cb:4f:d1:b7:81:c4:83:22:2f:fb:9f:4b:fa:6a:\n 16:77:fd:62:37:91:f1:09:cc:c4:e1:04:e1:de:f2:\n 3f:77:35:ec:e5:8f:5a:03:1d:7b:53:8e:5a:72:76:\n 42:2a:cb:95:9a:35:4a:98:1d:78:3c:21:85:3d:7c:\n 59:f6:e8:7b:20:d0:73:db:42:ff:38:ca:0c:13:f6:\n cc:3e:bc:b0:8f:41:29:f1:c7:33:45:79:c7:04:33:\n 51:47:0b:23:f8:d6:58:68:2d:95:83:c9:ad:40:7c:\n 95:9a:0c:ff:92:bd:d6:4f:b2:96:6c:41:45:0d:eb:\n 19:57:b3:9a:fc:1c:82:01:9c:2d:e5:2e:1b:0f:47:\n ab:84:fa:65:ed:80:e7:19:da:ab:89:09:ed:6a:2c:\n 3a:aa:fe:dc:ba:53:e5:52:3f:1c:db:47:4c:4a:d6:\n e5:0f:76:12:df:f4:6c:fd:5a:fb:a5:70:b4:7b:06:\n c3:0c:b1:4d:cf:04:8e:5c:b0:05:cb:f2:ac:78:a6:\n 12:44:55:07:f9:88:55:59:23:11:0f:dd:53:14:6a:\n e8:c4:bb:6a:94:af:1e:54:e8:7d:4f:10:8a:e5:7e:\n 31:3b:cf:28:28:80:37:62:eb:5e:49:26:9d:10:17:\n 33:bc:a7:3f:2a:06:a4:f0:37:a5:b3:07:6d:ce:6a:\n b7:17\n Exponent: 65537 (0x10001)\n X509v3 extensions:\n X509v3 Subject Key Identifier: \n EA:63:B1:7F:07:DF:31:3F:55:28:77:CC:FB:F2:1F:3A:D6:45:3F:55\n X509v3 Authority Key Identifier: \n keyid:EA:63:B1:7F:07:DF:31:3F:55:28:77:CC:FB:F2:1F:3A:D6:45:3F:55\n\n X509v3 Basic Constraints: \n CA:TRUE\n Signature Algorithm: sha256WithRSAEncryption\n 18:2b:96:b6:01:d8:3e:7f:bb:35:0c:4b:53:c2:9c:02:22:41:\n 25:82:d3:b6:a9:88:6e:0e:5d:5b:d3:ac:00:43:0a:04:f4:12:\n 6e:22:fd:3f:77:63:0e:42:28:e3:09:6b:16:67:5f:b7:08:08:\n 74:a3:55:1f:49:09:69:96:e8:f6:2e:9c:8a:d6:a0:e2:f7:d8:\n 30:62:06:f0:5e:1a:85:fe:ff:2d:39:64:f7:f1:e9:ce:21:02:\n f3:86:5f:3b:f6:12:1d:61:cd:a8:bf:36:e2:98:d4:99:b6:95:\n 5e:05:87:8d:ab:2f:30:38:b2:fe:68:ac:50:8d:98:fd:aa:4d:\n 79:e2:f5:71:92:d6:e5:1d:59:42:02:49:7a:2e:e0:f3:ba:41:\n 4d:f4:15:33:44:36:14:43:3b:7a:41:1b:61:6c:ff:78:fb:13:\n 4a:a4:e0:96:6c:45:80:0e:30:e3:63:9d:dc:f1:77:16:22:9c:\n 7a:c9:92:96:53:3b:62:87:ca:cb:e8:4a:a4:4f:69:a6:a0:5a:\n a9:eb:be:58:7f:c1:da:d4:d7:41:d4:54:06:fb:5b:8b:ea:46:\n 68:f5:e6:1e:2b:6a:0b:65:f9:66:5a:a2:14:ec:eb:05:2f:99:\n 46:bc:bb:d8:11:f6:3f:2e:6e:15:48:ac:70:1f:18:2d:e2:78:\n 4b:a3:cb:ef\n-----BEGIN CERTIFICATE-----\nMIIDxTCCAq2gAwIBAgIJAK3fZkXqN6awMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNV\nBAYTAkNIMQswCQYDVQQIDAJCUzEOMAwGA1UEBwwFQmFzZWwxFTATBgNVBAoMDGRi\naSBzZXJ2aWNlczEMMAoGA1UECwwDZGJhMQ4wDAYDVQQDDAVwZ2JveDEYMBYGCSqG\nSIb3DQEJARYJeHhAeHhAY29tMB4XDTE2MDkwOTExMzI0MloXDTE2MTAwOTExMzI0\nMloweTELMAkGA1UEBhMCQ0gxCzAJBgNVBAgMAkJTMQ4wDAYDVQQHDAVCYXNlbDEV\nMBMGA1UECgwMZGJpIHNlcnZpY2VzMQwwCgYDVQQLDANkYmExDjAMBgNVBAMMBXBn\nYm94MRgwFgYJKoZIhvcNAQkBFgl4eEB4eEBjb20wggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwAwggEKAoIBAQDLT9G3gcSDIi\/7n0v6ahZ3\/WI3kfEJzMThBOHe8j93Nezl\nj1oDHXtTjlpydkIqy5WaNUqYHXg8IYU9fFn26Hsg0HPbQv84ygwT9sw+vLCPQSnx\nxzNFeccEM1FHCyP41lhoLZWDya1AfJWaDP+SvdZPspZsQUUN6xlXs5r8HIIBnC3l\nLhsPR6uE+mXtgOcZ2quJCe1qLDqq\/ty6U+VSPxzbR0xK1uUPdhLf9Gz9WvulcLR7\nBsMMsU3PBI5csAXL8qx4phJEVQf5iFVZIxEP3VMUaujEu2qUrx5U6H1PEIrlfjE7\nzygogDdi615JJp0QFzO8pz8qBqTwN6WzB23OarcXAgMBAAGjUDBOMB0GA1UdDgQW\nBBTqY7F\/B98xP1Uod8z78h861kU\/VTAfBgNVHSMEGDAWgBTqY7F\/B98xP1Uod8z7\n8h861kU\/VTAMBgNVHRMEBTADAQH\/MA0GCSqGSIb3DQEBCwUAA4IBAQAYK5a2Adg+\nf7s1DEtTwpwCIkElgtO2qYhuDl1b06wAQwoE9BJuIv0\/d2MOQijjCWsWZ1+3CAh0\no1UfSQlpluj2LpyK1qDi99gwYgbwXhqF\/v8tOWT38enOIQLzhl879hIdYc2ovzbi\nmNSZtpVeBYeNqy8wOLL+aKxQjZj9qk154vVxktblHVlCAkl6LuDzukFN9BUzRDYU\nQzt6QRthbP94+xNKpOCWbEWADjDjY53c8XcWIpx6yZKWUztih8rL6EqkT2mmoFqp\n675Yf8Ha1NdB1FQG+1uL6kZo9eYeK2oLZflmWqIU7OsFL5lGvLvYEfY\/Lm4VSKxw\nHxgt4nhLo8vv\n-----END CERTIFICATE-----\n<\/pre>\n
\npostgres@pgbox:\/home\/postgres\/ [PG960] chmod 600 server.key\npostgres@pgbox:\/home\/postgres\/ [PG960] ls -l server.key\n-rw-------. 1 postgres postgres 1675 Sep 9 13:30 server.key\n<\/pre>\n
\npostgres@pgbox:\/home\/postgres\/ [PG960] mv server.key server.crt $PGDATA\/\n<\/pre>\n
\n(postgres@[local]:5432) [postgres] > alter system set ssl='on';\nALTER SYSTEM\nTime: 5.427 ms\n<\/pre>\n
\npostgres@pgbox:\/home\/postgres\/ [PG960] pg_ctl -D $PGDATA restart -m fast\n<\/pre>\n