Re: WIP: Data at rest encryption
Aleksander Alekseev <a.alekseev@postgrespro.ru>
From: Aleksander Alekseev <a.alekseev@postgrespro.ru>
To: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
Cc: Ants Aasma <ants.aasma@eesti.ee>, Robert Haas <robertmhaas@gmail.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2017-06-14T09:04:26Z
Lists: pgsql-hackers
Hi Ants, On Tue, Jun 13, 2017 at 09:07:49AM -0400, Peter Eisentraut wrote: > On 6/12/17 17:11, Ants Aasma wrote: > > I'm curious if the community thinks this is a feature worth having? > > Even considering that security experts would classify this kind of > > encryption as a checkbox feature. > > File system encryption already exists and is well-tested. I don't see > any big advantages in re-implementing all of this one level up. You > would have to touch every single place in PostgreSQL backend and tool > code where a file is being read or written. Yikes. I appreciate your work, but unfortunately I must agree with Peter. On Linux you can configure the full disc encryption using LUKS / dm-crypt in like 5 minutes [1]. On FreeBSD you can do the same using geli [2]. In my personal opinion PostgreSQL is already complicated enough. A few companies that hired system administrators that are too lazy to read two or three man pages is not a reason to re-implement file system encryption (or compression, or mirroring if that matters) in any open source RDBMS. [1] http://eax.me/dm-crypt/ [2] http://eax.me/freebsd-geli/ -- Best regards, Aleksander Alekseev
Commits
-
Dramatically reduce System V shared memory consumption.
- b0fc0df9364d 9.3.0 cited