Re: Proposed patch for key managment - Mailing list pgsql-hackers

From Fabien COELHO
Subject Re: Proposed patch for key managment
Date
Msg-id alpine.DEB.2.22.394.2012311121300.3573723@pseudo
Whole thread Raw
In response to Re: Proposed patch for key managment  (Bruce Momjian <bruce@momjian.us>)
List pgsql-hackers
Hello,

>> The API to fetch the KEK doesn't care at all about where it's stored or
>> how it's derived or anything like that.  There's a relatively small
>> change which could be made to have PG request all of the keys that it'll
>> need on startup, if we want to go there as has been suggested elsewhere,
>> but even if we do that, PG needs to be able to do that itself too,
>> otherwise it's not a complete capability and there seems little point in
>> doing something that's just a pass-thru to something else and isn't able
>> to really be used.
>
> Right now, the script returns a cluster key (KEK), and during initdb the
> server generates data encryption keys and wraps them with the KEK.
> During server start, the server validates the KEK and decrypts the data
> keys.  pg_alterckey allows changing the KEK.
>
> I think Fabien is saying this all should _only_ be done using external
> tools --- that's what I don't agree with.

Yep.

I could compromise on "could be done using an external tool", but that 
requires designing the API and thinking about where and how things are 
done before everything is hardwired. Designing afterwards is too late. 
ISTM that the current patch does not separate API design and cryptographic 
design, so both are deeply entwined, and would be difficult to 
disentangle.

-- 
Fabien.



pgsql-hackers by date:

Previous
From: Fabien COELHO
Date:
Subject: Re: Proposed patch for key managment
Next
From: Masahiko Sawada
Date:
Subject: Re: Dependency isn't created between extension and schema