Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS)

On Fri, Jul 12, 2019 at 02:15:02PM +0900, Masahiko Sawada wrote:
> > We will use CBC AES128 mode for tables/indexes, and CTR AES128 for WAL.
> > 8k pages will use the LSN as a nonce, which will be encrypted to
> > generate the initialization vector (IV). We will not encrypt the first
> > 16 bytes of each pages so the LSN can be used in this way. The WAL will
> > use the WAL file segment number as the nonce and the IV will be created
> > in the same way.
> >
> > wal_log_hints will be enabled automatically in encryption mode, like we
> > do for checksum mode, so we never encrypt different 8k pages with the
> > same IV.
>
> I guess that different two pages can have the same LSN when a heap
> update modifies both a page for old tuple and another page for new
> tuple.
>
> heapam.c:3707
> recptr = log_heap_update(relation, buffer,
> newbuf, &oldtup, heaptup,
> old_key_tuple,
> all_visible_cleared,
> all_visible_cleared_new);
> if (newbuf != buffer)
> {
> PageSetLSN(BufferGetPage(newbuf), recptr);
> }
> PageSetLSN(BufferGetPage(buffer), recptr);
>
> Wouldn't it a problem?

I had the same question. If someone does:

UPDATE tab SET col = col + 1

then each row change gets its own LSN. You are asking if an update that
just expires one row and adds it to a new page gets the same LSN. I
don't know.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +