| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Joe Conway <mail(at)joeconway(dot)com>, Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com>, "Moon, Insung" <Moon_Insung_i3(at)lab(dot)ntt(dot)co(dot)jp>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |
| Date: | 2018-06-20 21:09:25 |
| Message-ID: | 20180620210925.GD17551@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Jun 18, 2018 at 09:49:20AM -0400, Robert Haas wrote:
> figure stuff out. You can infer something about the length of
> particular values. Perhaps you can find cases where the same
> encrypted value appears multiple times. If there's a btree index, you
Most encryption methods use a random initialization vector (IV) for each
encryption, e.g. pgp_sym_encrypt(), but length might allow this, as you
stated.
> know the ordering of the values under whatever ordering semantics
> apply to that index. It's unclear to me how useful such information
I don't think an ordered index is possible, only indexing of encrypted
hashes, i.e. see this and the next slide:
https://momjian.us/main/writings/crypto_hw_use.pdf#page=86
> would be in practice or to what extent it might allow you to attack
> the underlying cryptography, but it seems like there might be cases
> where the information leakage is significant. For example, suppose
> you're trying to determine which partially-encrypted record is that of
> Aaron Aardvark... or this guy:
> https://en.wikipedia.org/wiki/Hubert_Blaine_Wolfeschlegelsteinhausenbergerdorff,_Sr.
>
> Recently, it was suggested to me that a use case for column-level
> encryption might be to prevent casual DBA snooping. So, you'd want
> the data to appear in pg_dump output encrypted, because the DBA might
> otherwise look at it, but you wouldn't really be concerned about the
> threat of the DBA loading a hostile C module that would steal user
> keys and use them to decrypt all the data, because they don't care
> that much and would be fired if they were caught doing it.
Yes, that is a benefit that is not possible with page-level encryption.
It also encrypts the WAL and backups automatically; see:
http://momjian.us/main/writings/crypto_hw_use.pdf#page=97
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2018-06-20 21:12:38 | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |
| Previous Message | Tomas Vondra | 2018-06-20 21:05:55 | Re: Push down Aggregates below joins |