Re: Internal key management system
Bruce Momjian <bruce@momjian.us>
From: Bruce Momjian <bruce@momjian.us>
To: Masahiko Sawada <masahiko.sawada@2ndquadrant.com>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>, "Moon, Insung" <tsukiwamoon.pgsql@gmail.com>, Cary Huang <cary.huang@highgo.ca>, Robert Haas <robertmhaas@gmail.com>, Fabien COELHO <coelho@cri.ensmp.fr>, Sehrope Sarkuni <sehrope@jackdb.com>, cary huang <hcary328@gmail.com>, Ibrar Ahmed <ibrar.ahmad@gmail.com>, Joe Conway <mail@joeconway.com>
Date: 2020-03-19T13:00:54Z
Lists: pgsql-hackers
On Thu, Mar 19, 2020 at 06:32:57PM +0900, Masahiko Sawada wrote: > On Thu, 19 Mar 2020 at 15:59, Masahiko Sawada > > I understand that your idea is to include fixed length string to the > > 256 bit key in order to separate key space. But if we do that, I think > > that the key strength would actually be the same as the strength of > > weaker key length, depending on how we have the fixed string. I think > > if we want to have multiple key spaces, we need to derive keys from the > > master key using KDF. > > Or we can simply generate a different encryption key for block > encryption. Therefore we will end up with having two encryption keys > inside database. Maybe we can discuss this after the key manager has > been introduced. I know Sehrope liked derived keys so let's get his feedback on this. We might want to have two keys anyway for key rotation purposes. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EnterpriseDB https://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +