Re: storing an explicit nonce

Stephen Frost <sfrost@snowman.net>

From: Stephen Frost <sfrost@snowman.net>
To: Bruce Momjian <bruce@momjian.us>
Cc: Ants Aasma <ants@cybertec.at>, Antonin Houska <ah@cybertec.at>, Robert Haas <robertmhaas@gmail.com>, Sasasu <i@sasa.su>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2021-10-12T12:25:52Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Rethink method for assigning OIDs to the template0 and postgres DBs.

  2. pg_upgrade: Preserve database OIDs.

  3. pg_upgrade: Preserve relfilenodes and tablespace OIDs.

  4. Fix for new Boolean node

  5. Improve error handling of HMAC computations

  6. Add macro RelationIsPermanent() to report relation permanence

  7. Enhance nbtree index tuple deletion.

Greetings,

* Bruce Momjian (bruce@momjian.us) wrote:
> On Tue, Oct 12, 2021 at 08:40:17AM +0300, Ants Aasma wrote:
> > On Mon, 11 Oct 2021 at 22:15, Bruce Momjian <bruce@momjian.us> wrote:
> > 
> >     > Yes, that's the direction that I was thinking also and specifically with
> >     > XTS as the encryption algorithm to allow us to exclude the LSN but keep
> >     > everything else, and to address the concern around the nonce/tweak/etc
> >     > being the same sometimes across multiple writes.  Another thing to
> >     > consider is if we want to encrypt zero'd page.  There was a point
> >     > brought up that if we do then we are encrypting a fair bit of very
> >     > predictable bytes and that's not great (though there's a fair bit about
> >     > our pages that someone could quite possibly predict anyway based on
> >     > table structures and such...).  I would think that if it's easy enough
> >     > to not encrypt zero'd pages that we should avoid doing so.  Don't recall
> >     > offhand which way zero'd pages were being handled already but thought it
> >     > made sense to mention that as part of this discussion.
> > 
> >     Yeah, I wanted to mention that.  I don't see any security difference
> >     between fully-zero pages, pages with headers and no tuples, and pages
> >     with headers and only a few tuples.  If any of those are insecure, they
> >     all are.  Therefore, I don't see any reason to treat them differently.
> > 
> > 
> > We had to special case zero pages and not encrypt them because as far as I can
> > tell, there is no atomic way to extend a file and initialize it to Enc(zero) in
> > the same step.
> 
> Oh, good point.  Yeah, we will need to handle that.

Not sure what's meant here by 'handle that', but I don't see any
particular reason to avoid doing exactly the same for zero pages with
TDE in core..?  I don't think there's any reason we need to make things
complicated to ensure that we encrypt entirely empty pages.

Thanks,

Stephen