Database Security Hardening

Defense in Depth

Database security requires multiple layers: network isolation, encryption, access control, and auditing.

Encryption

Encryption at Rest

-- PostgreSQL TDE

CREATE EXTENSION pg_tde;

SELECT pg_tde_add_database_key_provider('file-vault', '{"type":"file"}');

SELECT pg_tde_set_principal_key('production-db-key', 'file-vault');

Encryption in Transit

# postgresql.conf

ssl = on

ssl_cert_file = '/etc/ssl/certs/server.crt'

ssl_key_file = '/etc/ssl/private/server.key'

Access Control

Apply least privilege with separate roles:

CREATE ROLE read_only;

CREATE ROLE read_write;

GRANT SELECT ON ALL TABLES TO read_only;

GRANT INSERT, UPDATE, DELETE ON ALL TABLES TO read_write;

Row-Level Security

ALTER TABLE orders ENABLE ROW LEVEL SECURITY;

CREATE POLICY tenant_isolation ON orders

USING (tenant_id = current_setting('app.tenant_id')::INT);

Audit Logging

CREATE EXTENSION pgaudit;

-- In postgresql.conf

pgaudit.log = 'write,ddl,role'

Network Isolation

Place databases in private subnets. Use security groups to restrict access to specific application servers only. Never expose databases directly to the internet.

Conclusion

Layer encryption, access control, RLS, audit logging, and network isolation. Rotate credentials regularly. Follow least privilege. Test your security controls periodically.

Database Security Hardening

Database Security Hardening

Related Articles