Re: "WIP: Data at rest encryption" patch and, PostgreSQL 11-beta3
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
From: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
To: Antonin Houska <ah@cybertec.at>, Bruce Momjian <bruce@momjian.us>
Cc: Robert Haas <robertmhaas@gmail.com>,
Toshi Harada <harada.toshi@po.ntt-tx.co.jp>,
"pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2019-06-25T12:28:00Z
Lists: pgsql-hackers
On 2019-06-17 11:23, Antonin Houska wrote: > I'm thinking how to teach postmaster to accept FEBE protocol connections > temporarily, just to receive the key. The user applications like pg_ctl, > initdb or pg_upgrade would retrieve the key / password from the DBA, then > start postmaster and send it the key. > > Perhaps the message format should be a bit generic so that extensions like > this can use it to receive their keys too. > > (The idea of an unix socket or named pipe I proposed upthread is not good > because it's harder to implement in a portable way.) How are the requirements here different from ssl_passphrase_command? Why do we need a new mechanism? -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Commits
-
Dramatically reduce System V shared memory consumption.
- b0fc0df9364d 9.3.0 cited