Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS)
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
From: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
To: Tomas Vondra <tomas.vondra@2ndquadrant.com>,
Bruce Momjian <bruce@momjian.us>
Cc: Stephen Frost <sfrost@snowman.net>, Joe Conway <mail@joeconway.com>,
Masahiko Sawada <sawada.mshk@gmail.com>, Robert Haas
<robertmhaas@gmail.com>, Antonin Houska <ah@cybertec.at>,
Haribabu Kommi <kommi.haribabu@gmail.com>,
"Moon, Insung" <Moon_Insung_i3@lab.ntt.co.jp>,
Ibrar Ahmed <ibrar.ahmad@gmail.com>,
PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2019-07-07T19:05:26Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Revamp the WAL record format.
- 2c03216d8311 9.5.0 cited
On 2019-07-05 22:24, Tomas Vondra wrote: > What if the granular encryption (not the "whole cluster with a single > key") case does not encrypt whole blocks, but just tuple data? Would > that allow at least the most critical WAL use cases (recovery, physical > replication) to work without having to know all the encryption keys? Finding the exact point where you divide up sensitive and non-sensitive data would be difficult. For example, say, you encrypt the tuple payload but not the tuple header, so that vacuum would still work. Then, someone who has access to the raw data directory could infer in combination with commit timestamps for example, that on Friday between 5pm and 6pm, 10000 records were updated, 500 were inserted, and 200 were deleted, and that table has about this size, and this happens every Friday, and so on. That seems way to much information to reveal for an allegedly encrypted data directory. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services