I wanted to bounce a few related ideas off people.
Foreign Data Wrappers
One of the biggest vulnerabilities of the current system is the need for the client to know the PGP key. There's a better alternative for many (not all) use cases - loading the PGP key from a file located on the server or securely downloaded from a trusted source on an as-needed basis.
In other words - a Foreign Data Wrapper for PGP keyrings. The initial milestone could be a readonly table containing:
- keyid
- alg
- not_before
- not_after
- public key
- secret key (if available)
I've included type --list-keys below. I know the FDW should include the [SCE] flags and '[unknown|lultimate|...] values, and possibly the uid values. (It would need to be text[]). Secret keys add a 'ssb' element.
UDT and UDF
This still exposes a lot of information so it makes sense to consider a UDT for PGP_KEY and possibly more. This UDT can be opaque - the secret key can be write-only. Otherwise the UDT can be a drop-in replacement for the existing text and bytea UDFs.
A similar idea, one that I'm still exploring, is PGP_CIPHERTEXT. It's a drop-in replacement for bytea but makes it easy to add type-safe functions to extract metadata from the ciphertext.
The keyring FDW would return a PGP_KEY for the secret key. This prevents the exposure of a secret key loaded from a keyring.
