Re: storing an explicit nonce
Stephen Frost <sfrost@snowman.net>
From: Stephen Frost <sfrost@snowman.net>
To: Bruce Momjian <bruce@momjian.us>
Cc: Ants Aasma <ants@cybertec.at>, Sasasu <i@sasa.su>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2021-10-07T14:26:56Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Rethink method for assigning OIDs to the template0 and postgres DBs.
- 2cb1272445d2 15.0 landed
-
pg_upgrade: Preserve database OIDs.
- aa01051418f1 15.0 landed
-
pg_upgrade: Preserve relfilenodes and tablespace OIDs.
- 9a974cbcba00 15.0 landed
-
Fix for new Boolean node
- cf925936ecc0 15.0 cited
-
Improve error handling of HMAC computations
- 5513dc6a304d 15.0 cited
-
Add macro RelationIsPermanent() to report relation permanence
- 95d77149c535 14.0 landed
-
Enhance nbtree index tuple deletion.
- d168b666823b 14.0 cited
Greetings, * Bruce Momjian (bruce@momjian.us) wrote: > On Wed, Oct 6, 2021 at 03:17:00PM -0400, Stephen Frost wrote: > > * Bruce Momjian (bruce@momjian.us) wrote: > > > On Tue, Oct 5, 2021 at 04:29:25PM -0400, Bruce Momjian wrote: > > > > On Tue, Sep 28, 2021 at 12:30:02PM +0300, Ants Aasma wrote: > > > > > On Mon, 27 Sept 2021 at 23:34, Bruce Momjian <bruce@momjian.us> wrote: > > > > > We are still working on our TDE patch. Right now the focus is on refactoring > > > > > temporary file access to make the TDE patch itself smaller. Reconsidering > > > > > encryption mode choices given concerns expressed is next. Currently a viable > > > > > option seems to be AES-XTS with LSN added into the IV. XTS doesn't have an > ----------------------------------------------------- > > > > > issue with predictable IV and isn't totally broken in case of IV reuse. > > > > > > > > Uh, yes, AES-XTS has benefits, but since it is a block cipher, previous > > > > 16-byte blocks affect later blocks, meaning that hint bit changes would > > > > also affect later blocks. I think this means we would need to write WAL > > > > full page images for hint bit changes to avoid torn pages. Right now > > > > hint bit (single bit) changes can be lost without causing torn pages. > > > > This was another of the advantages of using a stream cipher like CTR. > > > > > > Another problem caused by block mode ciphers is that to use the LSN as > > > part of the nonce, the LSN must not be encrypted, but you then have to > > > find a 16-byte block in the page that you don't need to encrypt. > > > > With AES-XTS, we don't need to use the LSN as part of the nonce though, > > so I don't think this argument is actually valid..? As discussed > > previously regarding AES-XTS, the general idea was to use the path to > > the file and the filename itself plus the block number as the IV, and > > that works fine for XTS because it's ok to reuse it (unlike with CTR). > > Yes, I would prefer we don't use the LSN. I only mentioned it since > Ants Aasma mentioned LSN use above. Ohhh, apologies for missing that, makes more sense now. Thanks! Stephen