On Wed, Jul 10, 2019 at 11:06 AM Stephen Frost <sfrost@snowman.net> wrote:
>
> Greetings,
>
> * Ryan Lambert (ryan@rustprooflabs.com) wrote:
> > > What I think Tomas is getting at here is that we don't write a page only
> > > once.
> >
> > > A nonce of tableoid+pagenum will only be unique the first time we write
> > > out that page. Seems unlikely that we're only going to be writing these
> > > pages once though- what we need is a nonce that's unique for *every
> > > write* of the 8k page, isn't it? As every write of the page is going to
> > > be encrypting something new.
> >
> > > With sufficient randomness, we can at least be more likely to have a
> > > unique nonce for each 8K write. Including the LSN seems like it'd be a
> > > possible alternative.
> >
> > Agreed. I know little of the inner details about the LSN but what I read
> > in [1] sounds encouraging in addition to tableoid + pagenum.
> >
> > [1] https://www.postgresql.org/docs/current/datatype-pg-lsn.html
>
> Yes, but it's still something that we'd have to store somewhere- the
> actual LSN of the page is going to be in the 8K block.
Can we use CBC-ESSIV[1] or XTS[2] instead? IIUC with these modes we
can use table oid and page number for IV or tweak and we don't need to
change them each time to encrypt pages.
[1] https://en.wikipedia.org/wiki/Disk_encryption_theory#Encrypted_salt-sector_initialization_vector_.28ESSIV.29
[2]
https://en.wikipedia.org/wiki/Disk_encryption_theory#XEX-based_tweaked-codebook_mode_with_ciphertext_stealing_(XTS)
Regards,
--
Masahiko Sawada
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center
