Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) - Mailing list pgsql-hackers
| From | Masahiko Sawada |
|---|---|
| Subject | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) |
| Date | |
| Msg-id | CAD21AoDa2Lw72L04G7agC89D7Vx-6hJwYHF5g6s13DcnhHgyDg@mail.gmail.com Whole thread Raw |
| In response to | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) (Bruce Momjian <bruce@momjian.us>) |
| Responses |
Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS)
(Bruce Momjian <bruce@momjian.us>)
|
| List | pgsql-hackers |
On Sun, Jul 7, 2019 at 1:05 AM Bruce Momjian <bruce@momjian.us> wrote: > > On Fri, Jul 5, 2019 at 10:24:39PM +0200, Tomas Vondra wrote: > > I agree this is a pretty crucial challenge, and those requirements seem > > in direct conflict. Users use encryption to protect privacy of the data, > > but we need access to some of the data to implement some of the > > important tasks of a RDBMS. > > > > And it's not just about things like recovery or replication. How do you > > do ANALYZE on encrypted data? Sure, if a user runs it in a session that > > has the right key, that's fine. But what about autovacuum/autoanalyze? > > There might be a way to defer ANALYZE and autovacuum/autoanalyze, but > what about VACUUM FREEZE? We can defer that too, but not the clog > truncation that is eventually the product of the freeze. > > What about referential integrity constraints that need to check primary > keys in the encrypted tables? I also don't see a way of delaying that, > and if you can't do referential integrity into the encrypted tables, it > reduces the value of having encrypted data in the same database rather > than in another database or cluster? > I just thought that PostgreSQL's auxiliary processes such as autovacuum, startup, checkpointer, bgwriter should always be able to access all keys because there are already in inside database. Even today these processes don't check any privileges when accessing to data. What security threats we can protect data from by requiring privileges even for auxiliary processes? If this is a security problem isn't it also true for cluster-wide encryption? I guess that processes who have an access privilege on the table can always get the corresponding encryption key. And any processes cannot access an encryption key directly without accessing to a database object. > I still feel we have not clearly described what the options are: > > 1. Encrypt everything > > 2. Encrypt only some tables (for performance reasons), and use only one > key, or use multiple keys to allow for key rotation. All keys are > always unlocked. > > 3. Encrypt only some tables with different keys, and the keys are not > always unlocked. > > As Tomas already stated, using tablespaces to distinguish encrypted from > non-encrypted tables doesn't make sense since the file system used for > the storage is immaterial to the encryptions status. An easier way would > be to just add a bit to WAL that would indicate if the rest of the WAL > record is encrypted, though I doubt the performance boost is worth the > complexity. Okay, instead of using tablespaces we can create groups grouping tables being encrypted with the same key. I think the one of the most important point here is to provide a granular encryption feature and have less the number of keys in database cluster, not to provide per tablespace encryption feature. I'm not going to insist it should be per tablespace encryption. Regards, -- Masahiko Sawada NIPPON TELEGRAPH AND TELEPHONE CORPORATION NTT Open Source Software Center
pgsql-hackers by date: