Bruce Momjian <bruce@momjian.us> wrote:
> On Mon, Nov 29, 2021 at 08:37:31AM +0100, Antonin Houska wrote:
> > The changes to buffile.c are not trivial, but we haven't really changed the
> > API, as long as you mean BufFileCreateTemp(), BufFileWrite(), BufFileRead().
> >
> > What our patch affects on the caller side is that BufFileOpenTransient(),
> > BufFileCloseTransient(), BufFileWriteTransient() and BufFileReadTransient()
> > replace OpenTransientFile(), CloseTransientFile(), write()/fwrite() and
> > read()/fread() respectively in reorderbuffer.c and in pgstat.c. These changes
> > become a little bit less invasive in TDE 1.1 than they were in 1.0, see [1],
> > see the diffs attached.
>
> With pg_upgrade modified to preserve the relfilenode, tablespace oid, and
> database oid, we are now closer to implementing cluster file encryption
> using XTS. I think we have a few steps left:
>
> 1. modify temporary file I/O to use a more centralized API
> 2. modify the existing cluster file encryption patch to use XTS with a
> IV that uses more than the LSN
> 3. add XTS regression test code like CTR
> 4. create WAL encryption code using CTR
>
> If we can do #1 in PG 15 I think I can have #2 ready for PG 16 in July.
> The feature wiki page is:
>
> https://wiki.postgresql.org/wiki/Transparent_Data_Encryption
>
> Do people want to advance this feature forward?
I confirm that we (Cybertec) do and that we're ready to spend more time on the
community implementation.
--
Antonin Houska
Web: https://www.cybertec-postgresql.com