Postgresql support ssl certificates; where, in Under normal circumstances, postgresql data transmission between the server and the client are transmitted in clear text, and that this has a certain security risk.
If encryption is required for an after service end openssl installed, you can use openssl command generates a pair of private key and certificate for encryption and decryption of data, then the configuration file can be a minor modification.
1. The use openssl to generate a private key and certificate, you can write a shell script to achieve.
openssl req -nodes -new -text -subj "/C=CH/ST=Shanghai/L=Jinan/O=HighGo/CN=tbing" -out server.req openssl rsa -in privkey.pem -out ./server.key openssl req -x509 -in server.req -text -key ./server.key -out ./server.crt cp server.* $PGDATA/../data5433/ chmod 600 $PGDATA/../data5433/server.key $PGDATA/../data5433/server.crt
Before executing the script file, note that define the environment variable good data directory. After executing the script you will find two files in the data directory: server.key private key and certificate server.crt. These two keys need to modify the permissions in a shell script, otherwise the database will not start.
2. Modify the postgresql.conf configuration file, open ssl connection.
ssl = on ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' ssl_prefer_server_ciphers = on ssl_ecdh_curve = 'prime256v1' ssl_cert_file = 'server.crt' ssl_key_file = 'server.key'
3. Modify pg_hba.conf profile to hostssl connected.
hostssl all all 0.0.0.0/0 md5
4 valid configuration
select pg_load_conf();
5 connect to the database, the encrypted display
[postgres@kbj-db-1 ~]$ psql -p5433 -hlocalhost -Upostgreadm -dpdb Password for user ktccadmin: psql (11.4) SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off) Type "help" for help.
6 Ethereal View
Encryption ago:
tcpdump -t -s 0 -c 20 ip host 172.17.16.12 and 172.17.16.9 and port 5433 -w ./potgresql-ssl_4.cap
Encrypted: