Re: [HACKERS] WIP: Data at rest encryption
Antonin Houska <ah@cybertec.at>
From: Antonin Houska <ah@cybertec.at>
To: pgsql-hackers@postgresql.org
Date: 2018-06-27T08:02:03Z
Lists: pgsql-hackers
Attachments
- data-at-rest-encryption-wip-2018.06.27.patch (text/x-diff) patch
- README.encryption (text/plain)
Ants Aasma <ants.aasma@gmail.com> wrote: > Attached to this mail is a work in progress patch that adds an > extensible encryption mechanism. There are some loose ends left to tie > up, but the general concept and architecture is at a point where it's > ready for some feedback, fresh ideas and bikeshedding. Rebased patch is attached here, in case it helps to achieve (some of) the goals mentioned in the related thread [1]. Besides encrypting table and WAL pages, it encrypts the temporary files (buffile.c), data stored during logical decoding (reorderbuffer.c) and statistics temporary files (pgstat.c). Unlike the previous version, SLRU files (e.g. CLOG) are not encrypted (it does not seem critical and the encryption makes torn page write quite difficult to handle). Another difference is that we use the OpenSSL of the (tweaked) AES XTS cipher now. Binary upgrade from unencrypted to encrypted cluster is not implemented yet. [1] https://www.postgresql.org/message-id/031401d3f41d$5c70ed90$1552c8b0$@lab.ntt.co.jp -- Antonin Houska Cybertec Schönig & Schönig GmbH Gröhrmühlgasse 26, A-2700 Wiener Neustadt Web: https://www.cybertec-postgresql.com
Commits
-
Dramatically reduce System V shared memory consumption.
- b0fc0df9364d 9.3.0 cited