Home > mailing lists

Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) - Mailing list pgsql-hackers

From	Ryan Lambert
Subject	Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS)
Date	July 10, 2019 21:38:02
Msg-id	CAN-V+g8fCt7OKafNUvBRSevERxt0u1LXJUUh5YwfPyU+6Aa7DA@mail.gmail.com Whole thread Raw
In response to	Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) (Alvaro Herrera <alvherre@2ndquadrant.com>)
Responses	Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) (Stephen Frost <sfrost@snowman.net>) Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) (Bruce Momjian <bruce@momjian.us>)
List	pgsql-hackers

Tree view

what is it that gets stored in the page for
decryption use, the nonce or the IV derived from it?

I believe storing the IV is preferable and still secure per [1]: "The IV need not be secret"

Beyond needing the database oid, if every decrypt function has to regenerate the IV from the nonce that will affect performance. I don't know how expensive the forward hash is but it won't be free.

[1] https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf

Ryan Lambert

pgsql-hackers by date:

From: Bruce Momjian
Date: 10 July 2019, 21:24:59
Subject: Re: doc: minor update for description of "pg_roles" view

From: Stephen Frost
Date: 10 July 2019, 21:41:42
Subject: Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS)

Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) - Mailing list pgsql-hackers

Previous

Next