Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS)
Sehrope Sarkuni <sehrope@jackdb.com>
From: Sehrope Sarkuni <sehrope@jackdb.com>
To: Bruce Momjian <bruce@momjian.us>
Cc: Joe Conway <mail@joeconway.com>, Antonin Houska <ah@cybertec.at>, Stephen Frost <sfrost@snowman.net>, Masahiko Sawada <sawada.mshk@gmail.com>, Tomas Vondra <tomas.vondra@2ndquadrant.com>,
Robert Haas <robertmhaas@gmail.com>, Haribabu Kommi <kommi.haribabu@gmail.com>, "Moon,
Insung" <Moon_Insung_i3@lab.ntt.co.jp>, Ibrar Ahmed <ibrar.ahmad@gmail.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2019-07-12T11:26:21Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Revamp the WAL record format.
- 2c03216d8311 9.5.0 cited
On Thu, Jul 11, 2019 at 9:05 PM Bruce Momjian <bruce@momjian.us> wrote: > > On Thu, Jul 11, 2019 at 08:41:52PM -0400, Joe Conway wrote: > > I vote for AES 256 rather than 128. > > Why? This page seems to think 128 is sufficient: > > https://crypto.stackexchange.com/questions/20/what-are-the-practical-differences-between-256-bit-192-bit-and-128-bit-aes-enc > > For practical purposes, 128-bit keys are sufficient to ensure security. > The larger key sizes exist mostly to satisfy some US military > regulations which call for the existence of several distinct "security > levels", regardless of whether breaking the lowest level is already far > beyond existing technology. > > We might need to run some benchmarks to determine the overhead of going > to AES256, because I am unclear of the security value. If the algorithm and key size is not going to be configurable then better to lean toward the larger size, especially given the desire for future proofing against standards evolution and potential for the encrypted data to be very long lived. NIST recommends AES-128 or higher but there are other publications that recommend AES-256 for long term usage: NIST - 2019 : Recommends AES-128, AES-192, or AES-256. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf NSA - 2016 : Recommends AES-256 for future quantum resistance. https://apps.nsa.gov/iaarchive/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfm ECRYPT - 2015 - Recommends AES-256 for future quantum resistance. https://www.ecrypt.eu.org/csa/documents/PQC-whitepaper.pdf ECRYPT - 2018 - Recommends AES-256 for long term use. https://www.ecrypt.eu.org/csa/documents/D5.4-FinalAlgKeySizeProt.pdf Regards, -- Sehrope Sarkuni Founder & CEO | JackDB, Inc. | https://www.jackdb.com/