Home > mailing lists

Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) - Mailing list pgsql-hackers

From	Tomas Vondra
Subject	Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS)
Date	June 13, 2018 19:15:19
Msg-id	ca97b354-2008-b5ce-d8cc-a96389f3f052@2ndquadrant.com Whole thread Raw
In response to	[Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) ("Moon, Insung" <Moon_Insung_i3@lab.ntt.co.jp>)
Responses	RE: [Proposal] Table-level Transparent Data Encryption (TDE) andKey Management Service (KMS) RE: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS)
List	pgsql-hackers

Tree view

Hi,

On 05/25/2018 01:41 PM, Moon, Insung wrote:
> Hello Hackers,
> 
> ...
> 
> BTW, I want to support CBC mode encryption[3]. However, I'm not sure 
> how to use the IV in CBC mode for this proposal. I'd like to hear
> opinions by security engineer.
> 

I'm not a cryptographer either, but this is exactly where you need a 
prior discussion about the threat models - there are a couple of 
chaining modes, each with different weaknesses.

FWIW it may also matter if data_checksums are enabled, because that may 
prevent malleability attacks affecting of the modes. Assuming active 
attacker (with the ability to modify the data files) is part of the 
threat model, of course.

regards

-- 
Tomas Vondra                  http://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

pgsql-hackers by date:

From: Konstantin Knizhnik
Date: 13 June 2018, 19:09:45
Subject: WAL prefetch

From: Joe Conway
Date: 13 June 2018, 19:20:58
Subject: Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS)

Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) - Mailing list pgsql-hackers

Previous

Next