Skip to main content

pgagroal manual · Explanation · upstream 2.1.0

Security

From the upstream pgagroal manual, rendered in the Elevarq documentation style. Single-sourced from the pinned pgagroal release.

\newpage

This chapter provides comprehensive security guidance for [pgagroal][pgagroal] deployments.

Security Models

AES-GCM (Galois/Counter Mode) is the recommended encryption mode in pgagroal. It provides both confidentiality (encryption) and integrity/authenticity (verification), ensuring that encrypted data has not been tampered with. Legacy modes (AES-CBC and AES-CTR) have been removed to ensure the highest security standards and to leverage modern CPU optimizations.

Why AES-GCM?

GCM is an Authenticated Encryption with Associated Data (AEAD) mode. Unlike CBC or CTR, which only provide confidentiality, GCM includes a built-in authentication tag. This protects against:

Performance Benchmarks

You can verify your system's encryption performance using OpenSSL speed tests:

# Verify AES-NI support
cat /proc/cpuinfo | grep aes

# Test single-core performance
openssl speed -elapsed -evp aes-256-gcm

# Test multi-core performance (e.g., 8 cores)
openssl speed -multi 8 -elapsed -evp aes-256-gcm

Modern high-performance systems typically see throughput exceed 5GB/s per core for AES-256-GCM. In pgagroal, the most significant performance gain comes from the two-step key derivation, which reduces the per-entry PBKDF2 overhead by 600,000x (from 600,000 iterations to 1, once the master key is derived and cached). This ensures that even with hundreds of vault entries, operations remain instantaneous.

Key Derivation and Caching

[pgagroal][pgagroal] supports multiple security models to meet different deployment requirements.

Pass-through Security

[pgagroal][pgagroal] uses pass-through security by default.

This means that [pgagroal][pgagroal] delegates to PostgreSQL to determine if the credentials used are valid.

Once a connection is obtained [pgagroal][pgagroal] will replay the previous communication sequence to verify the new client. This only works for connections using trust, password or md5 authentication methods, so scram-sha-256 based connections are not cached.

Security Considerations:

Management protocol encryption

The management wire protocol has been updated in 2.1.0 to exclusively use authenticated encryption (GCM). Legacy CBC and CTR modes are no longer supported.

While this does not affect on-disk data, it is a breaking change for mixed-version deployments:

Action required:

User Vault

A user vault is a vault which defines the known users and their password.

The vault is static, and is managed through the pgagroal-admin tool.

The user vault is specified using the -u or --users command line parameter.

Frontend Users

The -F or --frontend command line parameter allows users to be defined for the client to [pgagroal][pgagroal] authentication. This allows the setup to use different passwords for the [pgagroal][pgagroal] to PostgreSQL authentication.

All users defined in the frontend authentication must be defined in the user vault (-u).

Frontend users (-F) requires a user vault (-u) to be defined.

Vault Encryption

pgagroal uses AES-256-GCM encryption for storing user credentials in vault files. This provides authenticated encryption, ensuring both confidentiality and integrity for all sensitive data.

Key derivation is implemented as a high-performance two-step process based on PKCS5_PBKDF2_HMAC with a SHA-256 hash:

Each encrypted entry uses a standardized 28-byte header followed by the ciphertext and a trailing 16-byte authentication tag:

This architecture provides the security of the full iteration count for the main passphrase while allowing sub-second performance for bulk vault operations. Unlike older versions that supported multiple AES modes, pgagroal now exclusively uses GCM to provide built-in integrity protection (via an authentication tag). This ensures that any tampering with the vault file or the use of an incorrect master key will be immediately detected.

Authentication Query

Authentication query will use the below defined function to query the database for the user password:

CREATE FUNCTION public.pgagroal_get_password(
  IN  p_user     name,
  OUT p_password text
) RETURNS text
LANGUAGE sql SECURITY DEFINER SET search_path = pg_catalog AS
$SELECT passwd FROM pg_shadow WHERE usename = p_user$;

This function needs to be installed in each database.

Network Security

Host-Based Authentication

Configure pgagroal_hba.conf to restrict access:

# TYPE  DATABASE USER  ADDRESS  METHOD
host    mydb     myuser 192.168.1.0/24  scram-sha-256
host    mydb     myuser 10.0.0.0/8      scram-sha-256

TLS Configuration

For complete TLS setup, see Transport Level Security (TLS).

Key security considerations:

Access Control

User Management

Use pgagroal-admin to manage users securely:

# Create master key
pgagroal-admin -g master-key

# Add users with strong passwords
pgagroal-admin -f pgagroal_users.conf user add

Database Access Control

Configure database-specific access in pgagroal_databases.conf:

# DATABASE USER    MAX_SIZE INITIAL_SIZE MIN_SIZE
production myuser  10       5            2
test       testuser 5       2            1

Administrative Access

Secure administrative access:

# Create admin users with strong credentials
pgagroal-admin -f pgagroal_admins.conf -U admin user add

Hardening Guidelines

System-Level Security

Configuration Security

Monitoring and Auditing

Security Best Practices

Production Deployment

Development and Testing

Compliance Considerations

For environments requiring compliance (PCI DSS, HIPAA, etc.):

Security Troubleshooting

Common Security Issues

Authentication failures:

TLS connection issues:

Access denied errors:

Security Monitoring

Monitor these security-related metrics: