| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Ants Aasma <ants(dot)aasma(at)eesti(dot)ee>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: WIP: Data at rest encryption |
| Date: | 2017-06-13 15:51:17 |
| Message-ID: | 20170613155117.GB13873@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Jun 13, 2017 at 11:35:03AM -0400, Robert Haas wrote:
> I anticipate that one of the trickier problems here will be handling
> encryption of the write-ahead log. Suppose you encrypt WAL a block at
> a time. In the current system, once you've written and flushed a
> block, you can consider it durably committed, but if that block is
> encrypted, this is no longer true. A crash might tear the block,
> making it impossible to decrypt. Replay will therefore stop at the
> end of the previous block, not at the last record actually flushed as
> would happen today. So, your synchronous_commit suddenly isn't. A
> similar problem will occur any other page where we choose not to
> protect against torn pages using full page writes. For instance,
> unless checksums are enabled or wal_log_hints=on, we'll write a data
> page where a single bit has been flipped and assume that the bit will
> either make it to disk or not; the page can't really be torn in any
> way that hurts us. But with encryption that's no longer true, because
> the hint bit will turn into much more than a single bit flip, and
> rereading that page with half old and half new contents will be the
> end of the world (TM). I don't know off-hand whether we're
> protecting, say, CLOG page writes with FPWs.: because setting a couple
> of bits is idempotent and doesn't depend on the existing page
> contents, we might not need it currently, but with encryption, every
> bit in the page depends on every other bit in the page, so we
> certainly would. I don't know how many places we've got assumptions
> like this baked into the system, but I'm guessing there are a bunch.
That is not necessary true. You are describing a cipher mode where the
user data goes through the cipher, e.g. AES in CBC mode. However, if
you are using a stream cipher based on a block cipher, e.g. CTR, GCM,
you XOR the user data with a random bit stream, and in that case one bit
change in user data would be one bit change in the cipher output.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2017-06-13 15:53:09 | Re: RTE_NAMEDTUPLESTORE, enrtuples and comments |
| Previous Message | Robert Haas | 2017-06-13 15:38:38 | Re: RTE_NAMEDTUPLESTORE, enrtuples and comments |