Re: "WIP: Data at rest encryption" patch and, PostgreSQL 11-beta3 - Mailing list pgsql-hackers
| From | Robert Haas |
|---|---|
| Subject | Re: "WIP: Data at rest encryption" patch and, PostgreSQL 11-beta3 |
| Date | |
| Msg-id | CA+TgmoYs-TPJXdpLpM1qcib-M_CAMO-7wMxBy3yuuMxs8H4L8Q@mail.gmail.com Whole thread Raw |
| In response to | Re: "WIP: Data at rest encryption" patch and, PostgreSQL 11-beta3 (Antonin Houska <ah@cybertec.at>) |
| Responses |
Re: "WIP: Data at rest encryption" patch and, PostgreSQL 11-beta3
Re: "WIP: Data at rest encryption" patch and, PostgreSQL 11-beta3 |
| List | pgsql-hackers |
On Fri, May 31, 2019 at 2:59 AM Antonin Houska <ah@cybertec.at> wrote: > > Sounds good. I'm not quite sure how this is going to work. Ideally > > you'd like the encryption key command to fetch the key from something > > like ssh-agent, or maybe pop up a window on the user's terminal with a > > key prompt. Just reading from stdin and writing to stdout is not > > going to be very convenient... > > When I mentioned writing to stdout in my previous email, I viewed it from the > perspective of postmaster: whichever way the command gets the password from > the DBA, it'll always write it to stdout and postmaster will read it from > there. This was to address your objection that the executables do not actually > "return" strings. So the part about returning strings is really just a wording issue: the documentation needs to talk about data sent to stdout or wherever, because that's what really happens, and somebody writing such a command from scratch needs to know what it must do. What I'm talking about here is that it also has to be reasonably possible to write an encryption key command that does something useful. I don't have a really clear vision for how that's going to work. Nobody wants the server, which is probably being launched by pg_ctl or systemd or both, to prompt using its own stdin/stderr, but the we need to think about how the prompting is actually going to work. One idea is to do it via the FEBE protocol: connect to the server using libpq, issue a new command that causes the server to enter COPY mode, and then send the encryption key as COPY data. However, that idea doesn't really work, because we've got to be able to get the key before we run recovery or reach consistency, so the server won't be listening for connections at that point. Also, we've got to have a way for this to work in single-user mode, which also can't listen for connections. It's probably all fine if your encryption key command is something like 'curl https://my.secret.keyserver.me/sekcret.key' because then there's an external server which you can just go access - but I don't quite understand how you'd do interactive prompting from here. Sorry to get hung up on what may seem like a minor point, but I think it's actually fairly fundamental: we've got to have a clear vision of how end-users will really be able to make use of this. > The header comment in pg_upgrade.c indicates that this is because of TOAST. So > I think that dbnode and relfilenode are not preserved just because there was > no strong reason to do so by now. Maybe you want to propose an independent patch making that change? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
pgsql-hackers by date: