PostgreSQL Encryption, Tokenization, and Masking

Baffle’s Data Protection Service is the easiest to implement and most comprehensive solution for protecting sensitive information in your PostgreSQL database.

Overview

PostgreSQL is growing exponentially because it is open-source and has enterprise capabilities.  However, it lacks an easy way to implement protection of sensitive data.

Without application code changes, Baffle’s solution enables field-level encryption or tokenization and  implements least privilege access to that data – including the DBA.

Meet your compliance requirements. Make data breaches irrelevant.

Key benefits

Easy

No application code modification required

Fast

Deploy in hours not weeks

Comprehensive

One solution for masking, tokenization, and encryption

Secure

AES cryptographic protection

Flexible

No impact to user experience

Key Capabilities

No-code Changes

No Code Implementation
  • Legacy Applications can be migrated without expensive and time-consuming code changes.
  • Third-party apps like Tableau work out of the box.

Protect data-in-use (Least privileges) with dynamic data masking

Protect Data In Use
  • Masking using role-based access control (RBAC) can be set per application or even per user.
  • Even the DBA can be denied access to sensitive data.

Real query-able encryption

Real Queryable Encryption
  • Database-side operations like sort, search, math, and indexing can still be accomplished on encrypted data with negligible change in performance

GenAI and pgvector Ready

Secured Vector Databases
  • Encrypt sensitive PII values in text chunks and embeddings
  • Perform similarity searches and other vector operations directly on encrypted values
  • Prevent data breaches through embeddings when using PostgreSQL as vector database with pgvector

Tokenization without additional infrastructure.

Tokenization Without Additional Infrastructure
  • Many applications can’t handle the ciphertext of traditional encryption.  Format preserving encryption (FPE) generates ciphertext that matches the datatype (down to the characters) and length of the plaintext.

SaaS multi-tenant data isolation

If tenants (your customers) demand that they get their own table or database to protect and isolate their data, then the scale advantage of SaaS is lost. Use Baffle record-level keying (RLK) or logical database-level keying (LDK) to isolate tenant data but maintain the SaaS scale.

Tenants can even provide access to their own encryption keys. This provides them more confidence in the security of their data and if hey ever remove access to their keys, their data is effectively “shredded”, so they don’t have to worry about ensuring the data is disposed of properly.

Multi Tenant Application

Compliance

NIST
  • NIST.FIPS.197 AES Encryption Standard
  • NIST 800-38G Format Preserving Encryption
PCI Security Standards Council
  • 3.5.1 PAN (credit card data) is rendered unreadable anywhere it is stored by using…strong cryptography
  • 3.5.1.2 If disk-level or partition-level encryption (FDE) … is used to render PAN unreadable…(it must) also (be) rendered unreadable via another mechanism that meets Requirement 3.5.1.
  • 3.4.1 PAN is masked when displayed (the BIN and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the BIN and last four digits of the PAN
  • 3.4.2 When using remote-access technologies, technical controls prevent copy and/or relocation of PAN for all personnel, except for those with documented, explicit authorization and a legitimate,defined business need.
  • Third-party service  - Where a third-party service provider (TPSP) receives and/or stores only data encrypted by another entity, and where they do not have the ability to decrypt the data, the TPSP may be able to consider the encrypted data out of scope if certain conditions are met.
GDPR
  • GDPR Article 34: Data subject notification required unless “…rendered personal data unintelligible….such as encryption

Frequently asked questions

Open-source PostgreSQL doesn’t support TDE but it isn’t an ideal solution in any case. TDE was created a long time ago to protect against physical theft of the database hard-drives. The idea is simply to encrypt the data before it is saved to disk. While physical security is critical, it isn’t the threat vector that keeps CISOs up at night in modern datacenters. Encrypt laptop and phone drives to protect against physical theft, but modern enterprise databases require more.

WHITEPAPER

PCI Compliance

WHITEPAPER

Simplified Encryption

WEBINAR

Modernize your database with PostgreSQL in the cloud

Schedule a Demo with the Baffle team

Meet with Baffle team to ask questions and find out how Baffle can protect your sensitive data.

Easy

No application code modification required

Fast

Deploy in hours not weeks

Comprehensive

One solution for masking, tokenization, and encryption

Secure

AES cryptographic protection

Flexible

No impact to user experience