Re: WIP: Data at rest encryption

Antonin Houska <ah@cybertec.at>

From: Antonin Houska <ah@cybertec.at>
To: Alvaro Herrera <alvherre@2ndquadrant.com>
Cc: Shawn Wang <shawn.wang@highgo.ca>, pgsql-hackers@lists.postgresql.org, Ants Aasma <ants.aasma@eesti.ee>
Date: 2019-09-04T04:56:18Z
Lists: pgsql-hackers
Alvaro Herrera <alvherre@2ndquadrant.com> wrote:

> On 2019-Aug-02, Shawn Wang wrote:
> 
> > Hi Antonin,
> > It is very glad to see the new patch. I used the public patches a long time ago.
> > I did some tests like the stream replication, much data running, temporary files encryption.
> > I found that there is an issue in the src/backend/storage/file/encryption.c. You should put block_size = EVP_CIPHER_CTX_block_size(ctx); under the #ifdef USE_ASSERT_CHECKING.
> > There is some problem to merge your patches to the latest kernel in the pg_ctl.c.
> 
> Is a new, fixed version going to be posted soon?  It's been a while.
> 
> Also, apologies if this has been asked before, but: how does this patch
> relate to the stuff being discussed in
> https://postgr.es/m/031401d3f41d$5c70ed90$1552c8b0$@lab.ntt.co.jp ?

This thread started later than our effort but important design questions are
being discussed there. So far there seems to be no consensus whether
full-instance encryption should be implemented first, so any effort spent on
this patch might get wasted. When/if there will be an agreement on the design,
we'll see how much of this patch can be used.

-- 
Antonin Houska
Web: https://www.cybertec-postgresql.com



Commits

  1. Dramatically reduce System V shared memory consumption.