cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

The PTC Community email address has changed to community-mailer@ptc.com. Learn more.

PostgreSQL Database Encryption for data protection

Ashritha
13-Aquamarine

PostgreSQL Database Encryption for data protection

Hi team,

 

Need some help in dealing following scenario in ThingWorx.

 

We have some sensitive data that needs to be stored in ThingWorx postgres database.

Currently data can be directly visible from database , if we know connection string , username and password.

But we want to make sure even if the person have connection details, data should not be in the human readable form.

Does ThingWorx support this type of Database encryption technique?

If yes please share the related links to do the same.

 

 

Thank you!!

1 ACCEPTED SOLUTION

Accepted Solutions
geva
14-Alexandrite
(To:Ashritha)

Hi - Check out the encrypted PASSWORD base type.  This provides for encrypting specific sensitive data which will be encrypted at the application layer instead of the database layer.  If you need whole database or table specific encryption then this is something that you should work with your I.T. provider on. We do support having encrypted databases as long as those still meet the specification of our supported databases, versions, and operating systems.

 

Also I will caution you that expecting to encrypt everything will add an extremely large amount of overhead for resources required to manage this, to build, test, maintain the code, as well as troubleshooting the issues.  Best practice is to apply security - including but not limited to - encryption across many layers and components of an overall solution as this will provide better comprehensive coverage.  For example data coming from PLCs is most likely not encrypted, you should question if it is more important to provide things like critical alarms to plant operations teams, or if that should be encrypted and only available to authorized personnelle.  If it is the latter, then the plant systems need also to be encrypted.

View solution in original post

5 REPLIES 5

TWX supports data encryption, you may check the password for TWX users, they are not readable.  There are also encryption APIs in the snippet.

Ashritha
13-Aquamarine
(To:zyuan1)

Hi @zyuan1 ,

Yes, password is encrypted. But we want to encrypt entire database. 

I mean database should not have human readable data. Only ThingWorx should be able to decrypt data and give output in human readable form.

Is this possible?

We used SQL cmds to store data in DB a lot, but hardly need to encrypt and decrypt data in every transaction. So if you want to make the whole DB unreadable,

1. Control the DB user name & password, make it not accessible to most people

2. Find some method in DB itself, letting data getting encrypted (didn't know if there's such function)

Hi @Ashritha ,

The type of encryption you defined is a bit hardcore, because you'd say that the database should not have human readable data.

When storing data in the default ThingWorx database (=Persistence Provider), you will always have some small bits of human readable data, like the name of the column (that is stored at row level in case of Streams and Datatables).So, if you're really looking to encrypt the entire database, meaning absolutely every row column value from any table that  would not be possible to do by using the default ThingWorx DB (maybe using Transparent Data Encryption for Postgres but I never heard somebody to do that).

 

If you're just looking to encrypt the row column values themselves only for your sensitive data, which I assume it's the case, then you can easily do this by using the ThingWorx encrypt snippets (encryptString or encryptStringWithKey), which will make sure that any value you intend on storing on disk is encrypted with a key (and you can use a default random key known to ThingWorx, or supply your own key).  This is what my colleague @zyuan1 mentioned above. Are you sure you tried to do this and this does not satisfy your needs?

 

 

geva
14-Alexandrite
(To:Ashritha)

Hi - Check out the encrypted PASSWORD base type.  This provides for encrypting specific sensitive data which will be encrypted at the application layer instead of the database layer.  If you need whole database or table specific encryption then this is something that you should work with your I.T. provider on. We do support having encrypted databases as long as those still meet the specification of our supported databases, versions, and operating systems.

 

Also I will caution you that expecting to encrypt everything will add an extremely large amount of overhead for resources required to manage this, to build, test, maintain the code, as well as troubleshooting the issues.  Best practice is to apply security - including but not limited to - encryption across many layers and components of an overall solution as this will provide better comprehensive coverage.  For example data coming from PLCs is most likely not encrypted, you should question if it is more important to provide things like critical alarms to plant operations teams, or if that should be encrypted and only available to authorized personnelle.  If it is the latter, then the plant systems need also to be encrypted.