Thread

  1. Re: "WIP: Data at rest encryption" patch and, PostgreSQL 11-beta3

    Pavlo Golub <pavlo.golub@cybertec.at> — 2019-06-06T10:58:39Z

    Greetings, Antonin.
    
    You wrote 2019-06-05, 15:32:
    
    > Robert Haas <robertmhaas@gmail.com> wrote:
    
    >> On Fri, May 31, 2019 at 2:59 AM Antonin Houska <ah@cybertec.at> wrote:
    >> > > Sounds good.  I'm not quite sure how this is going to work.  Ideally
    >> > > you'd like the encryption key command to fetch the key from something
    >> > > like ssh-agent, or maybe pop up a window on the user's terminal with a
    >> > > key prompt.  Just reading from stdin and writing to stdout is not
    >> > > going to be very convenient...
    >> >
    >> > When I mentioned writing to stdout in my previous email, I viewed it from the
    >> > perspective of postmaster: whichever way the command gets the password from
    >> > the DBA, it'll always write it to stdout and postmaster will read it from
    >> > there. This was to address your objection that the executables do not actually
    >> > "return" strings.
    >> 
    >> So the part about returning strings is really just a wording issue:
    >> the documentation needs to talk about data sent to stdout or wherever,
    >> because that's what really happens, and somebody writing such a
    >> command from scratch needs to know what it must do.
    >> 
    >> What I'm talking about here is that it also has to be reasonably
    >> possible to write an encryption key command that does something
    >> useful.  I don't have a really clear vision for how that's going to
    >> work.  Nobody wants the server, which is probably being launched by
    >> pg_ctl or systemd or both, to prompt using its own stdin/stderr, but
    >> the we need to think about how the prompting is actually going to
    >> work.
    
    > Since you mentioned ssh-agent above, I think that postmaster can, instead of
    > running a command, create an unix socket and read the key from there. (I refer
    > only to the socket as a communication channel, not to the protocol - ssh-agent
    > does not seem to actually send key over the socket.) Unlike the socket for
    > backend connections, this one would only be readable by the user that runs
    > postmaster, and would only exist during the encryption initialization.
    
    > The simplest approach from the perspective of the DBA is that pg_ctl can write
    > the key to the socket. Besides that we can also implement a separate utility
    > to send the key, to be used in other special cases such as starting postgres
    > via systemd.
    
    > (If the unix socket is a problem on windows, we might need to use named pipe
    > instead.)
    
    Yes, that definitely a problem on Windows. Pipes seems reasonable. Are
    mapped files are appropriate from the security point of view?
    
    >> > The header comment in pg_upgrade.c indicates that this is because of TOAST. So
    >> > I think that dbnode and relfilenode are not preserved just because there was
    >> > no strong reason to do so by now.
    >> 
    >> Maybe you want to propose an independent patch making that change?
    
    > I think of a separate diff in the encryption patch series. As the encryption
    > is the only reason for this enhancement, I'm not sure if it deserves a
    > separate CF entry. (Although it might be considered refactoring because
    > eventually pg_upgrade won't need to handle the different relnodes, and thus it
    > might become a little bit simpler.)
    
    
    
    
    -- 
    Kind regards,
     Pavlo                          mailto:pavlo.golub@cybertec.at