Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS)
Bruce Momjian <bruce@momjian.us>
From: Bruce Momjian <bruce@momjian.us>
To: Stephen Frost <sfrost@snowman.net>
Cc: Masahiko Sawada <sawada.mshk@gmail.com>, Antonin Houska <ah@cybertec.at>, Sehrope Sarkuni <sehrope@jackdb.com>, Joe Conway <mail@joeconway.com>, Tomas Vondra <tomas.vondra@2ndquadrant.com>, Robert Haas <robertmhaas@gmail.com>, Haribabu Kommi <kommi.haribabu@gmail.com>, "Moon, Insung" <Moon_Insung_i3@lab.ntt.co.jp>, Ibrar Ahmed <ibrar.ahmad@gmail.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2019-08-24T00:27:21Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Revamp the WAL record format.
- 2c03216d8311 9.5.0 cited
On Fri, Aug 23, 2019 at 10:35:17AM -0400, Stephen Frost wrote: > > Agreed. The features of other databases are a clear source for what we > > should consider and run through the useful/reasonable filter. > > Following on from that- when other databases don't have something that > we're thinking about implementing, maybe we should be contemplating if > it really makes sense as a requirement for us. Yes, that's a good point. > Specifically in this case- I went back and tried to figure out what > other database systems have an "encrypt EVERYTHING" option. I didn't > have much luck finding one though. So I think we need to ask ourselves- > the "check box" that we're trying to check off with TDE, do the other > database system check that box? If so, then it looks like the "check > box" isn't actually "encrypt EVERYTHING", it's more along the lines of > "make sure all regular user data is encrypted automatically" or some > such, and that's a very different requirement, which seems to be > answered by the other systems by having a KMS + tablespace/database > level encryption. We certainly shouldn't be putting a lot of effort > into building something that is either overkill or won't be interesting > to users due to limitations like "have to take the entire cluster > offline to re-key it". Well, I think they might do that to reduce encryption overhead. I think tests have shown that is not an issue, but we will need to test further. I am not sure of the downside of encrypting everything, since it leaks the least information and has a minimal user API and code impact. What is the value of encrypting only the user rows? Better key control? > Now, that KMS has to be encrypted using a master key, of course, and we > have to make sure that it is able to survive across a crash, and it'd > sure be nice if it was indexed. One option for such a KMS would be > something entirely external (which could potentially just be another PG > database or something) but it'd be nice if we had something built-in. > We might also want it to be replicated (or maybe we don't, as was > discussed on the call, to allow for a replica to use an independent set > of keys- of course that leads to issues with pg_rewind and such though). I think the replica could use a different key for the relations, but the WAL key would have to be the same. > Anything built-in does seem like it'd be a fair bit of work to get it to > address those requirements, but that does seem to be what the other > database systems have done. Unfortunately, their documentation doesn't > seem to really say exactly what they've done to address that. I do like they pgcrypto key support to be per-database so pg_dump will dump the data encrypted, and with its locked keys. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +