Re: Internal key management system
Jose Luis Tallon <jltallon@adv-solutions.net>
From: Jose Luis Tallon <jltallon@adv-solutions.net>
To: Cary Huang <cary.huang@highgo.ca>,
Masahiko Sawada <masahiko.sawada@2ndquadrant.com>
Cc: Fabien COELHO <coelho@cri.ensmp.fr>, Bruce Momjian <bruce@momjian.us>,
Ahsan Hadi <ahsan.hadi@gmail.com>,
PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>,
"Moon, Insung" <tsukiwamoon.pgsql@gmail.com>,
Robert Haas <robertmhaas@gmail.com>, Sehrope Sarkuni <sehrope@jackdb.com>,
cary huang <hcary328@gmail.com>, Ibrar Ahmed <ibrar.ahmad@gmail.com>,
Joe Conway <mail@joeconway.com>
Date: 2020-06-18T18:21:56Z
Lists: pgsql-hackers
On 18/6/20 19:41, Cary Huang wrote: > Hi all > > Having read through the discussion, I have some comments and > suggestions that I would like to share. > > I think it is still quite early to even talk about external key > management system even if it is running on the same host as PG. This > is most likely achieved as an extension that can provide communication > to external key server and it would be a separate project/discussion. > I think the focus now is to finalize on the internal KMS design, and > we can discuss about how to migrate internally managed keys to the > external when the time is right. As long as there exists a clean interface, and the "default" (internal) backend is a provider of said functionality, it'll be fine. Given that having different KMS within a single instance (e.g. per database) is quite unlikely, I suggest just exposing hook-like function-pointer variables and be done with it. Requiring a preloaded library for this purpose doesn't seem too restrictive ---at least at this stage--- and can be very easily evolved in the future --- super-simple API which receives a struct made of function pointers, plus another function to reset it to "internal defaults" and that's it. > > Key management system is generally built to manage the life cycle of > cryptographic keys, so our KMS in my opinion needs to be built with > key life cycle in mind such as: > > * Key generation > * key protection > * key storage > * key rotation > * key rewrap > * key disable/enable > * key destroy Add the support functions for your suggested "key information" functionality, and that's a very rough first draft of the API ... > KMS should not perform the above life cycle management by itself > automatically or hardcoded, instead it should expose some interfaces > to the end user or even a backend process like TDE to trigger the above. > The only key KMS should manage by itself is the KEK, which is derived > from cluster passphrase value. This is fine in my opinion. This KEK > should exist only within KMS to perform key protection (by wrapping) > and key storage (save as file). Asking for the "cluster password" is something better left optional / made easily overrideable ... or we risk thousands of clusters suddenly not working after a reboot.... :S Just my .02€ Thanks, J.L.