Re: Transparent Data Encryption (TDE) and encrypted files - Mailing list pgsql-hackers

From Robert Haas
Subject Re: Transparent Data Encryption (TDE) and encrypted files
Date
Msg-id CA+TgmoYyXKOZzqsfk7NO-45U9bCn6KLDtkBaUWKawkVwHsLViQ@mail.gmail.com
Whole thread Raw
In response to Re: Transparent Data Encryption (TDE) and encrypted files  (Bruce Momjian <bruce@momjian.us>)
Responses Re: Transparent Data Encryption (TDE) and encrypted files
List pgsql-hackers
On Mon, Oct 7, 2019 at 11:02 AM Bruce Momjian <bruce@momjian.us> wrote:
> For clog, it is not append-only, and bytes are rewritten (from zero to
> non-zero), so there would have to be a new nonce for every clog file
> write to the file system.  We can store the nonce in a separate file,
> but the clog contents and nonce would have to be always synchronized or
> the file could not be properly read.  Basically every file we want to
> encrypt, needs this kind of study.

Yeah. It's a big problem/project.

Another approach to this problem would be to adjust the block format
to leave room for the nonce. If encryption is not in use, then those
bytes would just be zeroed or something. That would make upgrading a
bit tricky, but pg_upgrade could be taught to do the necessary
conversions for SLRUs without too much pain, I think.

In my opinion, it is desirable to maintain as much consistency as
possible between what we store on disk in the encrypted case and what
we store on disk in the not-encrypted case.  If we have to add
additional forks in the encrypted case, or change the file of the
format and not just the contents, it seems likely to add complexity
and bugs that we might be able to avoid via another approach.

> > In other words: maybe I'm wrong here, but it looks to me like we're
> > laboriously reinventing the wheel when we could be working on
> > improving the working prototype.
>
> The work being done is building on that prototype.

That's good, but then I'm puzzled as to why your list of things to
encrypt doesn't include all the things it already covers.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company



pgsql-hackers by date:

Previous
From: Juan José Santamaría Flecha
Date:
Subject: Re: Non-Active links being referred in our source code
Next
From: Robert Haas
Date:
Subject: Re: Standby accepts recovery_target_timeline setting?