Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) - Mailing list pgsql-hackers
| From | Bruce Momjian |
|---|---|
| Subject | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) |
| Date | |
| Msg-id | 20190711223741.qa46bx4ikwtmk3cc@momjian.us Whole thread Raw |
| In response to | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) (Bruce Momjian <bruce@momjian.us>) |
| Responses |
Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS)
Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) |
| List | pgsql-hackers |
On Wed, Jul 10, 2019 at 12:26:24PM -0400, Bruce Momjian wrote: > On Wed, Jul 10, 2019 at 08:31:17AM -0400, Joe Conway wrote: > > Please see my other reply (and > > https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf > > appendix C as pointed out by Ryan downthread). > > > > At least in my mind, I trust a published specification from the > > nation-state level over random blogs or wikipedia. If we can find some > > equivalent published standards that contradict NIST we should discuss > > it, but for my money I would prefer to stick with the NIST recommended > > method to produce the IVs. > > So, we have had a flurry of activity on this thread in the past day, so > let me summarize: Seems we have an updated approach: First, we need to store the symmetric encryption key in the data directory, like we do for SSL certificates and private keys. (Crash recovery needs access to this key, so we can't easily store it in a database table.) We will pattern it after the GUC ssl_passphrase_command. We will need to decide on a format for the symmetric encryption key in the file so we can check that the supplied passphrase properly unlocks the key. Our first implementation will encrypt the entire cluster. We can later consider encryption per table or tablespace. It is unclear if encrypting different parts of the system with different keys is useful or feasible. (This is separate from key rotation.) We will use CBC AES128 mode for tables/indexes, and CTR AES128 for WAL. 8k pages will use the LSN as a nonce, which will be encrypted to generate the initialization vector (IV). We will not encrypt the first 16 bytes of each pages so the LSN can be used in this way. The WAL will use the WAL file segment number as the nonce and the IV will be created in the same way. wal_log_hints will be enabled automatically in encryption mode, like we do for checksum mode, so we never encrypt different 8k pages with the same IV. There will need to be a pg_control field to indicate that encryption is in use. Right now we don't support the online changing of a cluster's checksum mode, so I suggest we create a utility like pg_checksums --enable to allow offline key rotation. Once we get online checksum mode changing ability, we can look into use that for encryption key rotation. Did I miss anything? -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +
pgsql-hackers by date: