Hello Stephen,
>> The implementations should not have to be in any particular language: Shell,
>> Perl, Python, C should be possible.
>
> I disagree that it makes any sense to pass actual encryption out to a
> shell script.
Yes, sure. I'm talking about key management. For actual crypto functions,
ISTM that they should be "replaceable", i.e. if some institution does not
believe in AES then they could switch to something else.
>> After giving it more thought during the day, I think that only one
>> command and a basic protocol is needed. Maybe something as simple as
>>
>> /path/to/command --options arguments…
>
> This is what's proposed- a command is run to acquire the KEK (as a hex
> encoded set of bytes, making it possible to use a shell script, which is
> what the patch does too).
Yep, but that is not what I'm trying to advocate. The "KEK" (if any),
would stay in the process, not be given back to the database or command
using it. Then the database/tool would interact with the command to get
the actual per-file keys when needed.
> [...] The API to fetch the KEK doesn't care at all about where it's
> stored or how it's derived or anything like that.
> There's a relatively small change which could be made to have PG request
> all of the keys that it'll need on startup, if we want to go there as
> has been suggested elsewhere, but even if we do that, PG needs to be
> able to do that itself too, otherwise it's not a complete capability and
> there seems little point in doing something that's just a pass-thru to
> something else and isn't able to really be used.
I do not understand. Postgres should provide a working implementation,
whether the functions are directly inside pg or though an external
process, they need to be there anyway. I'm trying to fix a clean, possibly
external API so that it is possible to have something different from the
choices made in the patch.
--
Fabien.