On Mon, 4 Jan 2021 at 17:56, Bruce Momjian <bruce@momjian.us> wrote:
>
> On Sat, Jan 2, 2021 at 12:47:19PM +0000, Alastair Turner wrote:
> >
> > There is also a further validation task - probably beyond the scope of
> > the key management patch and into the encryption patch[es] territory -
> > checking that the keys supplied are the same keys in use for the data
> > currently on disk. It feels to me like this should be done at startup,
> > rather than as each file is accessed, which could make startup quite
> > slow if there are a lot of keys with narrow scope.
>
> We do that already on startup by using GCM to validate the KEK when
> encrypting each DEK.
>
Which validates two things - that the KEK is the same one which was
used to encrypt the DEKs (instead of returning garbage plaintext when
given a garbage key), and that the DEKs have not been tampered with at
rest. What it does not check is that the DEKs are the keys used to
encrypt the data, that one has not been copied or restored independent
of the other.
