pgsql: Add key management system - Mailing list pgsql-committers
| From | Bruce Momjian |
|---|---|
| Subject | pgsql: Add key management system |
| Date | |
| Msg-id | E1ksosn-00073I-0Q@gemulon.postgresql.org Whole thread Raw |
| Responses |
Re: pgsql: Add key management system
(Justin Pryzby <pryzby@telsasoft.com>)
|
| List | pgsql-committers |
Add key management system This adds a key management system that stores (currently) two data encryption keys of length 128, 192, or 256 bits. The data keys are AES256 encrypted using a key encryption key, and validated via GCM cipher mode. A command to obtain the key encryption key must be specified at initdb time, and will be run at every database server start. New parameters allow a file descriptor open to the terminal to be passed. pg_upgrade support has also been added. Discussion: https://postgr.es/m/CA+fd4k7q5o6Nc_AaX6BcYM9yqTbC6_pnH-6nSD=54Zp6NBQTCQ@mail.gmail.com Discussion: https://postgr.es/m/20201202213814.GG20285@momjian.us Author: Masahiko Sawada, me, Stephen Frost Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/978f869b992f9fca343e99d6fdb71073c76e869a Modified Files -------------- doc/src/sgml/config.sgml | 62 ++++ doc/src/sgml/database-encryption.sgml | 97 +++++ doc/src/sgml/filelist.sgml | 1 + doc/src/sgml/installation.sgml | 5 +- doc/src/sgml/postgres.sgml | 1 + doc/src/sgml/ref/initdb.sgml | 46 +++ doc/src/sgml/ref/pg_ctl-ref.sgml | 13 + doc/src/sgml/ref/pgupgrade.sgml | 18 +- doc/src/sgml/ref/postgres-ref.sgml | 13 + doc/src/sgml/storage.sgml | 5 + src/backend/Makefile | 2 +- src/backend/access/transam/xlog.c | 21 ++ src/backend/bootstrap/bootstrap.c | 21 +- src/backend/crypto/Makefile | 18 + src/backend/crypto/kmgr.c | 372 +++++++++++++++++++ src/backend/main/main.c | 3 + src/backend/postmaster/pgstat.c | 9 + src/backend/postmaster/postmaster.c | 13 +- src/backend/replication/basebackup.c | 5 + src/backend/storage/ipc/ipci.c | 3 + src/backend/storage/lmgr/lwlocknames.txt | 1 + src/backend/tcop/postgres.c | 25 +- src/backend/utils/misc/guc.c | 24 ++ src/backend/utils/misc/pg_controldata.c | 11 +- src/backend/utils/misc/postgresql.conf.sample | 5 + src/bin/initdb/initdb.c | 116 +++++- src/bin/pg_controldata/pg_controldata.c | 3 + src/bin/pg_ctl/pg_ctl.c | 59 ++- src/bin/pg_resetwal/pg_resetwal.c | 2 + src/bin/pg_rewind/filemap.c | 8 + src/bin/pg_upgrade/check.c | 34 ++ src/bin/pg_upgrade/controldata.c | 42 ++- src/bin/pg_upgrade/file.c | 2 + src/bin/pg_upgrade/option.c | 7 +- src/bin/pg_upgrade/pg_upgrade.h | 3 + src/bin/pg_upgrade/server.c | 5 +- src/common/Makefile | 3 + src/common/cipher.c | 67 ++++ src/common/cipher_openssl.c | 268 ++++++++++++++ src/common/kmgr_utils.c | 507 ++++++++++++++++++++++++++ src/include/catalog/pg_control.h | 5 +- src/include/common/cipher.h | 62 ++++ src/include/common/kmgr_utils.h | 98 +++++ src/include/crypto/kmgr.h | 29 ++ src/include/pgstat.h | 3 + src/include/postmaster/postmaster.h | 2 + src/include/utils/guc_tables.h | 1 + src/test/Makefile | 2 +- src/tools/msvc/Mkvcbuild.pm | 4 +- 49 files changed, 2091 insertions(+), 35 deletions(-)
pgsql-committers by date: