Knowledge articles
Security

You can verify which tablespaces are encrypted using pgx_tablespaces system view. The following command will show the encryption algorithm applied to each tablespace.
Example below shows that a tablespace ‘secure_tablespace‘ is encrypted using AES256, while tablespaces ‘pg_default’ and ‘pg_global’ with the value of ‘none’ for the column ‘spcencalgo’ are not encrypted. The other possible value is AES128.

postgres=# SELECT spcname, spcencalgo FROM pg_tablespace ts, pgx_tablespaces tsx WHERE ts.oid = tsx.spctablespace;



      spcname      | spcencalgo
-------------------+------------
 pg_default        | none
 pg_global         | none
 secure_tablespace | AES256
(3 rows)

Applicable to

Product: Fujitsu Enterprise Postgres AE

Versions: from 9.5

Architecture: X86, S390x, ppc64le

Operating System: Linux

Encryption using Transparent Data Encryption (TDE) feature is applied at the tablespace level. This means that data such as tables and indexes created in the specified tablespace, the WAL, backup files, and archive logs will be automatically encrypted.

The data and index in the encrypted tablespace along with the associated WAL files can be backed up by taking a physical backup using the pgx_dmpall or pg_basebackup command. It is important to back up the keystore.ks file so that encrypted data can be restored with a keystore and passphrase. If there is any tablespace which is not encrypted, then it is backed up as unencrypted.

Note that a logical backup taken by pg_dump, pg_dumpall, or COPY command is not encrypted. This is because a logical backup is taken through SQL interface (like a client executing any other select statement), so encrypted data are decrypted before writing to a backup file.

Applicable to

Product: Fujitsu Enterprise Postgres AE

Versions: from 9.5

Architecture: X86, S390x, ppc64le

Operating System: Linux

If you want to mask the first 12 digits of a credit card number, you can apply Partial masking.

There are 3 different types of Data Masking supported that can be applied using masking policies, which include:

• “Full masking” where a whole column value can be obfuscated with alternate values. For example, values in a numeric type of column are replaced with ‘0’ and values in a character type of column are replaced with a space.
• “Partial masking” which allows you to mask part of a string. For example, the first 12 digits of a credit card number can be replaced with ‘*’. The masked data are displayed as follows:
  

  postgres=# SELECT * from emp;
  
  
   id |    name    |    creditcard_num
  ----+------------+---------------------
   1  | John Smith | ****-****-****-3433
   2  | Adam Brown | ****-****-****-8209
  

• “Regular expression masking” is flexible and allows you to define masking by using regular expressions, which is useful for unstructured types like XML or JSON (ability to mask a single element). For example, for strings with variable length such as email address, characters preceding ‘@’ can be replaced with ‘*’.

You can specify whether or not to apply a masking policy using a function. If the result of the function is true, masking will be applied, and if not then it is not applied. Also, this gives the flexibility to selectively mask data to specific users.

Applicable to

Product: Fujitsu Enterprise Postgres AE

Versions: from 9.5

Architecture: X86, S390x, ppc64le

Operating System: Linux