Re: Proposed patch for key managment - Mailing list pgsql-hackers
| From | Alastair Turner |
|---|---|
| Subject | Re: Proposed patch for key managment |
| Date | |
| Msg-id | CAC0Gmyy7QCvh4ey-e_XXYCHDEmaKKoeaagAFuAmhF=tS0DU4-A@mail.gmail.com Whole thread Raw |
| In response to | Re: Proposed patch for key managment (Bruce Momjian <bruce@momjian.us>) |
| Responses |
Re: Proposed patch for key managment
Re: Proposed patch for key managment |
| List | pgsql-hackers |
Hi Bruce On Wed, 16 Dec 2020 at 00:12, Bruce Momjian <bruce@momjian.us> wrote: > ... > > The second approach is to make a new API for what you want.... I am trying to motivate for an alternate API. Specifically, an API which allows any potential adopter of Postgres and Cluster File Encryption to adopt them without having to accept any particular approach to key management, key derivation, wrapping, validation, etc. A passphrase key-wrapper with validation will probably be very useful to a lot of people, but making it mandatory and requiring twists and turns to integrate with already-established security infrastructure sounds like a barrier to adoption. > ...It would be > similar to the cluster_passphrase_command, but it would be simple in > some ways, but complex in others since we need at least two DEKs, and > key rotation might be very risky since there isn't validation in the > server. > I guess that the risk you're talking about here is encryption with a bogus key and bricking the data? In a world where the wrapped keys are opaque to the application, a key would be validated through a roundtrip: request the unwrapping of the key, encrypt a known string, request the unwrapping again, decrypt the known string, compare. If any of those steps fail, don't use the wrapped key provided. Validating that the stored keys have not been fiddled/damaged is the KMS/HSM's responsibility. > >... I don't think this can be accomplished by a contrib module, but > would actually be easy to implement, but perhaps hard to document > because the user API might be tricky. > If integration through a pipeline isn't good enough (it would be a pain for the passphrase, with multiple prompts), what else do you see an API having to provide? > > I think my big question is about your sentence, "A key feature of these > key management approaches is that the application handling the > encrypted data doesn't get the KEK, the HSM/KSM passes the DEK back > after unwrapping it." It is less secure for the HSM to return a KEK > rather than a DEK? I can't see why it would be. The application never > sees the KEK used to wrap the DEK it has stored in the file system, > though that DEK is actually used as a passphrase by Postgres. This is > the same with the Yubikey --- Postgres never sees the private key used > to unlock what it locked with the Yubikey public key. > The protocols and practices are designed for a lot of DEKs and small number of KEK's. So the compromise of a KEK would, potentially, lead to compromise of thousands of DEKs. In this particular case with 2 DEKs wrapped by one KEK, it doesn't sound like much of a difference, I agree. From an acceptance and adoption point of view, I'm just inclined to use the security ecosystem in an established and understood way. Regards Alastair
pgsql-hackers by date: