How encrypted AWS PostgreSQL RDS works under the hood?


How encrypted AWS PostgreSQL RDS works under the hood?



I read that when creating an encrypted AWS Postgres RDS, it encrypts the underlying EBS volume created for it, all read replicas, backups, and snapshots as well.



Also when I queried and inserted the data into DB, it worked same as unencrypted DB would and gave results in plain text.



I have some questions regarding how exactly it is working under the hood.
Here they are:



A simple value-based search can be performed by encrypting what to search and then search it on the encrypted RDS. But my search in PostgreSQL was also working on JSONB nested objects. How is that achieved?



I was able to do a partial search(like query) on a name and address inside a JSONB object. How can a partial search be done on encrypted DB?


like



I have some JSONB columns in my PostgreSQL and I was able to partial insert on my JSONB objects. Its a cool feature of PostgreSQL but how was it achieved when the whole JSONB was encrypted?



PS: I have some knowledge of how DB works under the hood for storing and retrieving data but can't get my head around if everything is encrypted. Pardon me if I am completely wrong on some concepts.



I would really appreciate if someone can shed light on this as I was not able to find it on the internet.



Thanks





This might help: PostgreSQL: Documentation: 8.1: Encryption Options
– John Rotenstein
Jun 30 at 4:45





Thanks. I believe its using Data Partition Encryption here.
– Pranjal Singi
Jun 30 at 15:33




1 Answer
1



You are overthinking this. The DB files on EBS volume do not appear to be encrypted from the perspective of the PostgreSQL process that is running on the RDS server. The encryption/decryption is happening at the hypervisor layer, and is transparent to any software running on the VM. All those things you keep asking how they work, work exactly the same as they would on unencrypted EBS volumes, because when the DB service requests information from disk it receives unencrypted data.



Think of it like going into the BIOS on your laptop and enabling some sort of encryption of your disk volumes. Would you expect that to break all database engines you tried to run on your computer? Would you expect all software to somehow know how to deal with your laptop's BIOS disk encryption? When you do that all the software you run on your computer (like PostgreSQL) doesn't need to suddenly be made aware of how to decrypt data on your disk, it is transparent to that software, appearing to the running software as if the disk is not encrypted.





Thanks @Mark B. I didn't thought like this. I went and read encryption on top of filesystem here - wiki.archlinux.org/index.php/disk_encryption. If this is the case then encryption/decryption on the fly can take a performance hit for searching and updating records if the table or its index grows in size and cannot fit in memory all the time?
– Pranjal Singi
Jun 30 at 15:32





The topic of EBS encryption performance has been discussed already many times, like here: stackoverflow.com/questions/24322670/… I suggest you search for "AWS EBS Encryption Performance" in your favorite search engine.
– Mark B
2 days ago






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Comments

Post a Comment

Popular posts from this blog

paramiko-expect timeout is happening after executing the command

paramiko-expect timeout is happening after executing the command Can someone help me why timeout is happening after executing the command .I am trying to SSH to a machine and execute a command.I want to store the result of the executed command . I have referred paramiko-timeout but i didn't get my expected result. import traceback try: import paramiko except ImportError: raise Exception("Please install paramiko , pip install paramiko") import pexpect from paramiko_expect import SSHClientInteraction def main(): HOSTNAME = "minion5.net" USERNAME = "root" PASSWORD = "help@432" PROMPT = "root@*:~$s+" try: client = paramiko.SSHClient() client.load_system_host_keys() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) client.connect(hostname=HOSTNAME, username=USERNAME, password=PASSWORD) with SSHClientInteraction(client, timeout=20, display=True) as interact: ...
Read more

Opening a url is failing in Swift

Opening a url is failing in Swift breakpointing inside the callback and logging success shows false. I added itms-apps to my plist: LSApplicationQueriesSchemes and put this in my app delegate: func application(_ app: UIApplication, open url: URL, options: [UIApplicationOpenURLOptionsKey : Any] = [:]) -> Bool { return true } func moreTapped() { let url = NSURL(string: "itms-apps://itunes.com/developer/quantum-productions/id979315877") if #available(iOS 10.0, *) { UIApplication.shared.open(url! as URL, options: [:], completionHandler: {(success: Bool) in }) } else { UIApplication.shared.openURL(url! as URL) } } Are you testing on a real device? – rmaddy Jun 21 at 23:57 I try on a device, get "Cannot Connect to App Store". Device is online ...
Read more

Export result set on Dbeaver to CSV

Export result set on Dbeaver to CSV Normally I use Dbeaver for windows and always export my result set like this: run my query --> select the result --> export the result set --> select export to clipboard --> done This step by step puts my result set in my clipboard and I can paste it wherever I want to work with it. The problem is that now I am using dbeaver for mac and this guide is not working. I can go on until the moment that I select my result set like in the image below: exporting data set But once I go further in the process, in the last step I get: no query Note that in "source" it was suppose to show the query that originated the result set, but instead it says just "select. As a result it does't select my result or anything (besides being "successful"). Normally my query would show up there automatically and I couldn't find any option that corrects this problem in the menus. Please help me! Thanks. Aft...
Read more