- Canonical's free PostgreSQL security guide turns defaults into a breach surface.
- Five pillars — sandboxing, supply chain, storage, logging, install — map to PCI-DSS, CIS, DISA-STIG.
- Here's what actually matters.
TL;DR
Canonical (the company behind Ubuntu) published a free PostgreSQL Security Best Practices whitepaper on 19 Sep 2025 and re-promoted it in April 2026. The premise is blunt: most Postgres breaches start with misconfiguration, not zero-days. The guide stacks defenses into five pillars — sandboxing, supply-chain, storage, logging, install — and aligns them to ISO 27k, PCI-DSS, CIS, DISA-STIG, and FedRAMP. If you self-host Postgres on Linux, this is the checklist you wanted.
What's new
Postgres is now the most popular database among professionals per StackOverflow's 2025 survey, and adoption grew 52% in 2020 alone. Popularity attracts attackers. Botnets like PgMiner sweep the public internet for misconfigured instances — default credentials, wide-open pg_hba.conf, port 5432 exposed to 0.0.0.0 — then crypto-mine or pivot. Canonical's guide is a direct response: an opinionated, Ubuntu-flavored hardening playbook that maps each control to a compliance requirement.
Why it matters
Two numbers from the guide explain the stakes: 99% of enterprise codebases contain open source, and 80% of cyberattacks target the application layer. Your Postgres instance is both. A hardened default isn't enough because teams routinely loosen defaults to ship faster — binding to all interfaces, reusing the postgres superuser in apps, or skipping TLS in staging. One weak config beats many strong ones.
Technical facts — the controls that matter
Authentication. Use scram-sha-256. md5 is deprecated. Lock pg_hba.conf to explicit db + user + CIDR tuples, never all/all/0.0.0.0/0.
local my_db my_user scram-sha-256
hostssl my_db my_user 172.16.253.47/32 scram-sha-256Transport encryption. Enforce hostssl or hostgssenc. In postgresql.conf set ssl_cert_file, ssl_key_file, ssl_ca_file, ssl_ciphers, and ssl_min_protocol_version = 'TLSv1.2'. Self-signed cert is fine for dev — production needs a trusted CA.
Data at rest. Load pgcrypto for column-level encryption of PII. Use LUKS or filesystem-level encryption for the data volume. Encrypt backups both at rest and in transit and test restores on a schedule.
Least privilege. Never use the postgres superuser in applications. Create group roles that reflect permissions, grant them to login roles, and use pg_monitor / pg_read_all_stats instead of superuser for observability. SET ROLE with NOINHERIT for temporary elevation. Enable Row Level Security for multi-tenant tables.
Audit logging. Install the pgAudit extension. Typical config:
pgaudit.log = 'read, write, ddl, role'
log_connections = on
log_disconnections = onShip logs to ELK or Splunk — audit value is zero if nobody reads them.
Brute-force hardening. Set authentication_timeout, load the auth_delay contrib module, and cap max_connections so a flood can't exhaust the pool.
Comparison — self-hosted vs managed
| Concern | Self-host on Ubuntu Pro | Managed (RDS / Cloud SQL) |
|---|---|---|
| Patching | Livepatch + 10-yr CVE coverage | Automated, vendor schedule |
pg_hba.conf control | Full | Limited to parameter groups |
| pgAudit flexibility | Full | Partial / provider-gated |
| TLS / CA choice | Your PKI | Provider CA |
| Compliance mapping | DIY but auditable | Shared-responsibility model |
If your compliance auditor wants proof of every control, self-hosted + this guide gives you the paper trail. If you want to trade control for ops savings, managed wins — but don't pretend managed means hardened by default.
Use cases
- Regulated workloads — fintech, healthcare, government teams that must map controls to PCI-DSS, HIPAA, or DISA-STIG.
- SaaS migrating off RDS — teams pulling back to self-hosted for cost or data-residency reasons and rebuilding a baseline.
- Multi-tenant platforms — RLS + group roles + pgAudit give per-tenant isolation with an audit trail.
- Post-incident cleanup — teams that got scanned by PgMiner-class botnets and need a checklist, not a blog post.
Limitations & pricing
The whitepaper is free but gated behind a lead form on ubuntu.com. The advice is vendor-flavored: Livepatch, Ubuntu Pro tiers, and Canonical's managed Postgres service all get a plug. Ubuntu Pro is free for up to 5 personal machines; enterprise tiers and 24/7 app-level support are paid. Teams on RHEL, Debian, or Alpine can still apply ~90% of the controls — only the Livepatch + Pro-specific bits need translation. Heavy encryption stacks (FDE + HSM + pgcrypto) add CPU overhead, so benchmark before turning everything on in hot paths.
What's next
Expect an updated CIS PostgreSQL Benchmark and more feature parity between self-hosted hardening and managed services — especially around audit-log export and CMEK. If you run Postgres anywhere production-ish, treat this guide as the minimum bar and your next sprint's backlog.
Sources: Canonical — PostgreSQL security best practices, Ubuntu blog — PgMiner botnet, EnterpriseDB — hardening checklist, postgresql.org/security.
