Re: Internal key management system - Mailing list pgsql-hackers

From Robert Haas
Subject Re: Internal key management system
Date
Msg-id CA+TgmoadFz=DP8wHYK4OR98bPUAD4CqrXTCT=KVm0+eLft6keA@mail.gmail.com
Whole thread Raw
In response to Re: Internal key management system  (Cary Huang <cary.huang@highgo.ca>)
List pgsql-hackers
On Thu, Feb 6, 2020 at 4:37 PM Cary Huang <cary.huang@highgo.ca> wrote:
> Since the user does not need to know the master secret key used to cipher the data, I don't think we should expose
"pg_kmgr_unwrap("xxxx")"SQL function to the user at all.
 
> The wrapped key "xxxx" is stored in control data and it is possible to obtain by malicious user and steal the key by
runningSELECT pg_kmgr_unwrap("xxxx").
 
> Even the user is righteous, it may not be very straightforward for that user to obtain the wrapped key "xxxx" to use
inthe unwrap function.
 

I agree.

> so instead of:
> ------------------
> INSERT INTO tbl VALUES (pg_encrypt('user data', pg_kmgr_unwrap('xxxxx'));
> SELECT pg_decrypt(secret_column, pg_kmgr_unwrap('xxxxx')) FROM tbl;
>
> it would become:
> ------------------
> INSERT INTO tbl VALUES (pg_encrypt('user data', 'cluster_pass_phrase');
> SELECT pg_decrypt(secret_column, 'cluster_pass_phrase') FROM tbl;

The second one is certainly better than the first one, as it prevents
the key from being stolen. It's still pretty bad, though, because the
supposedly-secret passphrase will end up in the server log.

I have a hard time believing that this feature as currently proposed
is worth anything.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company



pgsql-hackers by date:

Previous
From: Justin Pryzby
Date:
Subject: Re: error context for vacuum to include block number
Next
From: Tom Lane
Date:
Subject: Re: [HACKERS] Moving relation extension locks out of heavyweight lock manager