| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com> |
| Cc: | Joe Conway <mail(at)joeconway(dot)com>, Antonin Houska <ah(at)cybertec(dot)at>, Stephen Frost <sfrost(at)snowman(dot)net>, Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com>, "Moon, Insung" <Moon_Insung_i3(at)lab(dot)ntt(dot)co(dot)jp>, Ibrar Ahmed <ibrar(dot)ahmad(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |
| Date: | 2019-07-12 15:29:12 |
| Message-ID: | 20190712152912.bgztdwgpeo5pucmn@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Jul 12, 2019 at 03:20:37PM +0900, Masahiko Sawada wrote:
> Thank you for summarizing the discussion, it's really helpful. I'll
> update the wiki page based on the summary.
>
> On Fri, Jul 12, 2019 at 10:05 AM Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> > > The keys themselves should be in an file which is encrypted by a master
> > > key. Obtaining the master key should be pattern it after the GUC
> > > ssl_passphrase_command.
>
> +1.
> I will update the patch set based on the decision on this thread.
Thanks.
> > > > We will use CBC AES128 mode for tables/indexes, and CTR AES128 for WAL.
> > > > 8k pages will use the LSN as a nonce, which will be encrypted to
> > > > generate the initialization vector (IV). We will not encrypt the first
> > > > 16 bytes of each pages so the LSN can be used in this way. The WAL will
> > > > use the WAL file segment number as the nonce and the IV will be created
> > > > in the same way.
> > >
> > > I vote for AES 256 rather than 128.
> >
> > Why? This page seems to think 128 is sufficient:
> >
> > https://crypto.stackexchange.com/questions/20/what-are-the-practical-differences-between-256-bit-192-bit-and-128-bit-aes-enc
> >
> > For practical purposes, 128-bit keys are sufficient to ensure security.
> > The larger key sizes exist mostly to satisfy some US military
> > regulations which call for the existence of several distinct "security
> > levels", regardless of whether breaking the lowest level is already far
> > beyond existing technology.
> >
> > We might need to run some benchmarks to determine the overhead of going
> > to AES256, because I am unclear of the security value.
>
> 'openssl speed' will help to see the performance differences easily.
> FWIW I got the following result in my environment (Intel(R) Core(TM)
> i7-3770 CPU @ 3.40GHz).
>
> $ openssl speed -evp aes-128-cbc
> type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
> aes-128-cbc 642449.60k 656404.63k 700231.23k 706461.71k 706051.44k
>
> $ openssl speed -evp aes-256-cbc
> type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
> aes-256-cbc 466787.73k 496237.08k 503477.16k 507113.32k 508453.80k
I saw similar numbers on my Intel(R) Xeon(R) CPU E5620 @ 2.40GHz with
AES optimization enabled on the CPUs:
$ grep -i '\<aes\>' /proc/cpuinfo | wc -l
16
Doing aes-128-cbc for 3s on 8192 size blocks: 254000 aes-128-cbc's in 3.00s
Doing aes-256-cbc for 3s on 8192 size blocks: 182496 aes-256-cbc's in 3.00s
which shows AES256 as 40% slower than AES128, which matches the 40%
mentioned here:
The larger key sizes imply some CPU overhead (+20% for a 192-bit key,
+40% for a 256-bit key: internally, the AES is a sequence of "rounds"
and the AES standard says that there shall be 10, 12 or 14 rounds, for a
128-bit, 192-bit or 256-bit key, respectively). So there is some
rational reason not to use a larger than necessary key.
> Regarding the security value, I found an interesting post by Bruce Schneier.
>
> https://www.schneier.com/blog/archives/2009/07/another_new_aes.html
>
> "And for new applications I suggest that people don't use AES-256.
> AES-128 provides more than enough security margin for the forseeable
> future. But if you're already using AES-256, there's no reason to
> change."
Yes, that is what I have heard too. I think the additional number of
people who use encryption because of its lower overhead will greatly
outweigh the benefit of using AES256 vs AES128.
> > Yes, sorry, master key rotation is simple. It is encryption key
> > rotation that I think needs a tool.
>
> Agreed.
>
> To rotate the master key we can have a SQL function or dedicated SQL
> command passing the new master key or the passphrase to postgres.
Well, depending on how we store the encryption key, we will probably
change the master key via a command-line tool like pgchecksums.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2019-07-12 15:30:17 | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |
| Previous Message | Lucas Viecelli | 2019-07-12 15:21:33 | Re: warning to publication created and wal_level is not set to logical |