Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS)
Bruce Momjian <bruce@momjian.us>
From: Bruce Momjian <bruce@momjian.us>
To: Sehrope Sarkuni <sehrope@jackdb.com>
Cc: Masahiko Sawada <sawada.mshk@gmail.com>, Joe Conway <mail@joeconway.com>, Antonin Houska <ah@cybertec.at>, Stephen Frost <sfrost@snowman.net>, Tomas Vondra <tomas.vondra@2ndquadrant.com>, Robert Haas <robertmhaas@gmail.com>, Haribabu Kommi <kommi.haribabu@gmail.com>, "Moon, Insung" <Moon_Insung_i3@lab.ntt.co.jp>, Ibrar Ahmed <ibrar.ahmad@gmail.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2019-07-30T12:16:04Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Revamp the WAL record format.
- 2c03216d8311 9.5.0 cited
Attachments
- lsn.diff (text/x-diff) patch
On Tue, Jul 30, 2019 at 07:44:20AM -0400, Sehrope Sarkuni wrote: > On Mon, Jul 29, 2019 at 8:35 PM Bruce Momjian <bruce@momjian.us> wrote: > From the patch: > > /* > ! * The initialization vector (IV) is used for page-level > ! * encryption. We use the LSN and page number as the IV, and IV > ! * values must never be reused since it is insecure. It is safe > ! * to use the LSN on multiple pages in the same relation since > ! * the page number is part of the IV. It is unsafe to reuse the > ! * LSN in different relations because the page number might be > ! * the same, and hence the IV. Therefore, we check here that > ! * we don't have WAL records for different relations using the > ! * same LSN. > ! */ > > If each relation file has its own derived key, the derived TDEK for that > relation file, then there is no issue with reusing the same IV = LSN || Page > Number. The TDEKs will be different so Key + IV will never collide. So, this email explains that we are considering not using the relfilenode/tablepsace/database to create a derived key per relation, but us the same key for all relaions because the IV will be unique per page across all relations: https://www.postgresql.org/message-id/20190729134442.2bxakegiqafxgj6u@momjian.us There is talk of using a derived key with a contant to make sure all heap/index files use a different derived key than WAL, but I am not sure. This is related to whether WAL IV and per-heap/index IV can collide. There are other emails in the thread that also discuss the topic. The issue is that we add a lot of complexity to other parts of the system, (e.g. pg_upgrade, CREATE DATABASE, moving relations between tablespaces) to create a derived key, so we should make sure we need it before we do it. > In general it's fine to use the same IV with different keys. Only reuse of Key > + IV is a problem and the entire set of possible counter values (IV + 0, IV + > 1, ...) generated with a key must be unique. That's also why we must leave at > least log2(PAGE_SIZE / AES_BLOCK_SIZE) bits at the end of the IV to be filled > in with 0, 1, 2, ... for each 16-byte AES-block on the page. If our per-page IV > prefix used any of those bits then the counter could overflow into the next > page's IV's range. Agreed. Attached is an updated patch that checks only main relation forks, which I think are the only files we are going ot encrypt, and it has better comments. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +