Re: Internal key management system
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Cary Huang <cary.huang@highgo.ca>
Cc: Masahiko Sawada <masahiko.sawada@2ndquadrant.com>,
Fabien COELHO <coelho@cri.ensmp.fr>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>,
Sehrope Sarkuni <sehrope@jackdb.com>, cary huang <hcary328@gmail.com>, "Moon,
Insung" <tsukiwamoon.pgsql@gmail.com>, Ibrar Ahmed <ibrar.ahmad@gmail.com>, Joe Conway <mail@joeconway.com>, Bruce Momjian <bruce.momjian@enterprisedb.com>
Date: 2020-02-14T15:37:10Z
Lists: pgsql-hackers
On Thu, Feb 6, 2020 at 4:37 PM Cary Huang <cary.huang@highgo.ca> wrote:
> Since the user does not need to know the master secret key used to cipher the data, I don't think we should expose "pg_kmgr_unwrap("xxxx")" SQL function to the user at all.
> The wrapped key "xxxx" is stored in control data and it is possible to obtain by malicious user and steal the key by running SELECT pg_kmgr_unwrap("xxxx").
> Even the user is righteous, it may not be very straightforward for that user to obtain the wrapped key "xxxx" to use in the unwrap function.
I agree.
> so instead of:
> ------------------
> INSERT INTO tbl VALUES (pg_encrypt('user data', pg_kmgr_unwrap('xxxxx'));
> SELECT pg_decrypt(secret_column, pg_kmgr_unwrap('xxxxx')) FROM tbl;
>
> it would become:
> ------------------
> INSERT INTO tbl VALUES (pg_encrypt('user data', 'cluster_pass_phrase');
> SELECT pg_decrypt(secret_column, 'cluster_pass_phrase') FROM tbl;
The second one is certainly better than the first one, as it prevents
the key from being stolen. It's still pretty bad, though, because the
supposedly-secret passphrase will end up in the server log.
I have a hard time believing that this feature as currently proposed
is worth anything.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company