Re: "WIP: Data at rest encryption" patch and, PostgreSQL 11-beta3 - Mailing list pgsql-hackers
| From | Pavlo Golub |
|---|---|
| Subject | Re: "WIP: Data at rest encryption" patch and, PostgreSQL 11-beta3 |
| Date | |
| Msg-id | 457444826.20190606135839@cybertec.at Whole thread Raw |
| In response to | Re: "WIP: Data at rest encryption" patch and, PostgreSQL 11-beta3 (Antonin Houska <ah@cybertec.at>) |
| List | pgsql-hackers |
Greetings, Antonin. You wrote 2019-06-05, 15:32: > Robert Haas <robertmhaas@gmail.com> wrote: >> On Fri, May 31, 2019 at 2:59 AM Antonin Houska <ah@cybertec.at> wrote: >> > > Sounds good. I'm not quite sure how this is going to work. Ideally >> > > you'd like the encryption key command to fetch the key from something >> > > like ssh-agent, or maybe pop up a window on the user's terminal with a >> > > key prompt. Just reading from stdin and writing to stdout is not >> > > going to be very convenient... >> > >> > When I mentioned writing to stdout in my previous email, I viewed it from the >> > perspective of postmaster: whichever way the command gets the password from >> > the DBA, it'll always write it to stdout and postmaster will read it from >> > there. This was to address your objection that the executables do not actually >> > "return" strings. >> >> So the part about returning strings is really just a wording issue: >> the documentation needs to talk about data sent to stdout or wherever, >> because that's what really happens, and somebody writing such a >> command from scratch needs to know what it must do. >> >> What I'm talking about here is that it also has to be reasonably >> possible to write an encryption key command that does something >> useful. I don't have a really clear vision for how that's going to >> work. Nobody wants the server, which is probably being launched by >> pg_ctl or systemd or both, to prompt using its own stdin/stderr, but >> the we need to think about how the prompting is actually going to >> work. > Since you mentioned ssh-agent above, I think that postmaster can, instead of > running a command, create an unix socket and read the key from there. (I refer > only to the socket as a communication channel, not to the protocol - ssh-agent > does not seem to actually send key over the socket.) Unlike the socket for > backend connections, this one would only be readable by the user that runs > postmaster, and would only exist during the encryption initialization. > The simplest approach from the perspective of the DBA is that pg_ctl can write > the key to the socket. Besides that we can also implement a separate utility > to send the key, to be used in other special cases such as starting postgres > via systemd. > (If the unix socket is a problem on windows, we might need to use named pipe > instead.) Yes, that definitely a problem on Windows. Pipes seems reasonable. Are mapped files are appropriate from the security point of view? >> > The header comment in pg_upgrade.c indicates that this is because of TOAST. So >> > I think that dbnode and relfilenode are not preserved just because there was >> > no strong reason to do so by now. >> >> Maybe you want to propose an independent patch making that change? > I think of a separate diff in the encryption patch series. As the encryption > is the only reason for this enhancement, I'm not sure if it deserves a > separate CF entry. (Although it might be considered refactoring because > eventually pg_upgrade won't need to handle the different relnodes, and thus it > might become a little bit simpler.) -- Kind regards, Pavlo mailto:pavlo.golub@cybertec.at
pgsql-hackers by date: