Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) - Mailing list pgsql-hackers
| From | Bruce Momjian |
|---|---|
| Subject | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) |
| Date | |
| Msg-id | 20190712010517.i5cmjzjvmvdybuxn@momjian.us Whole thread Raw |
| In response to | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) (Joe Conway <mail@joeconway.com>) |
| Responses |
Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS)
(Masahiko Sawada <sawada.mshk@gmail.com>)
Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) (Sehrope Sarkuni <sehrope@jackdb.com>) Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) (Joe Conway <mail@joeconway.com>) |
| List | pgsql-hackers |
On Thu, Jul 11, 2019 at 08:41:52PM -0400, Joe Conway wrote: > On 7/11/19 6:37 PM, Bruce Momjian wrote: > > Our first implementation will encrypt the entire cluster. We can later > > consider encryption per table or tablespace. It is unclear if > > encrypting different parts of the system with different keys is useful > > or feasible. (This is separate from key rotation.) > > I still object strongly to using a single key for the entire database. I > think we can use a single key for WAL, but we need some way to split the > heap so that multiple keys are used. If not by tablespace, then some > other method. What do you base this on? > Regardless of the method to split the heap into different keys, I think > there should be an option for some tables to not be encrypted. If we > decide it must be all or nothing for the first implementation I guess I > could live with it but would be very disappointed. What does it mean you "could live this it"? Why do you consider having some tables unencrypted important? > The keys themselves should be in an file which is encrypted by a master > key. Obtaining the master key should be pattern it after the GUC > ssl_passphrase_command. > > > We will use CBC AES128 mode for tables/indexes, and CTR AES128 for WAL. > > 8k pages will use the LSN as a nonce, which will be encrypted to > > generate the initialization vector (IV). We will not encrypt the first > > 16 bytes of each pages so the LSN can be used in this way. The WAL will > > use the WAL file segment number as the nonce and the IV will be created > > in the same way. > > I vote for AES 256 rather than 128. Why? This page seems to think 128 is sufficient: https://crypto.stackexchange.com/questions/20/what-are-the-practical-differences-between-256-bit-192-bit-and-128-bit-aes-enc For practical purposes, 128-bit keys are sufficient to ensure security. The larger key sizes exist mostly to satisfy some US military regulations which call for the existence of several distinct "security levels", regardless of whether breaking the lowest level is already far beyond existing technology. We might need to run some benchmarks to determine the overhead of going to AES256, because I am unclear of the security value. > Did we determine that we no longer need table oid because LSNs are > sufficiently unique? I think so. > > wal_log_hints will be enabled automatically in encryption mode, like we > > do for checksum mode, so we never encrypt different 8k pages with the > > same IV. > > check > > > There will need to be a pg_control field to indicate that encryption is > > in use. > > I didn't see that discussed but it makes sense. Yes, it seems to make sense, but was not discussed. > > Right now we don't support the online changing of a cluster's checksum > > mode, so I suggest we create a utility like pg_checksums --enable to > > allow offline key rotation. Once we get online checksum mode changing > > ability, we can look into use that for encryption key rotation. > > Master key rotation should be trivial if we do it the way I discussed > above. Rotating the individual heap and WAL keys would certainly be a > bigger problem. Yes, sorry, master key rotation is simple. It is encryption key rotation that I think needs a tool. > Thinking out loud (and I believe somewhere in this massive thread > someone else already said this), if we had a way to flag "key version" > at the page level it seems like we could potentially rekey page-by-page > while online, locking only one page at a time. We really only need to > support 2 key versions and could ping-pong between them as they change. > Or maybe this is a crazy idea. Yes, we did talk about this. It is certainly possible, but we would still need a tool to guarantee all pages are using the new version, so I am not sure what per-page buys us except making the later check faster. I don't see this as a version-1 feature, frankly. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +
pgsql-hackers by date: