Re: Internal key management system

Craig Ringer <craig.ringer@enterprisedb.com>

From: Craig Ringer <craig.ringer@enterprisedb.com>
To: Bruce Momjian <bruce@momjian.us>
Cc: Masahiko Sawada <masahiko.sawada@2ndquadrant.com>, Fabien COELHO <coelho@cri.ensmp.fr>, Cary Huang <cary.huang@highgo.ca>, Ahsan Hadi <ahsan.hadi@gmail.com>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>, "Moon, Insung" <tsukiwamoon.pgsql@gmail.com>, Robert Haas <robertmhaas@gmail.com>, Sehrope Sarkuni <sehrope@jackdb.com>, cary huang <hcary328@gmail.com>, Ibrar Ahmed <ibrar.ahmad@gmail.com>, Joe Conway <mail@joeconway.com>
Date: 2020-10-28T04:02:46Z
Lists: pgsql-hackers
On Wed, Oct 28, 2020 at 9:43 AM Bruce Momjian <bruce@momjian.us> wrote:
>

> I don't know much about how to hook into that stuff so if you have an
> idea, I am all ears.


Yeah, I have a reasonable idea. The main thing will be to re-read the patch
and put it into more concrete terms, which I'll try to find time for soon.
I need to find time to craft a proper demo that uses a virtual hsm, and can
also demonstrate how to use the host TPM or a Yubikey using the simple
openssl engine interfaces or a URI.


 I have used OpenSSL with Yubikey via pksc11.  You
> can see the use of it on slide 57 and following:
>
>         https://momjian.us/main/writings/crypto_hw_config.pdf#page=57
>
> Interestingly, that still needed the user to type in a key to unlock the
> Yubikey, so we might need PKCS11 and a password for the same server
> start.
>


Yes, that's possible. But in that case the passphrase will be asked for by
openssl only when required, and we'll need to supply an openssl askpass
hook.