Quick Links

Re: Internal key management system

From:	Bruce Momjian <bruce(at)momjian(dot)us>
To:	Craig Ringer <craig(dot)ringer(at)enterprisedb(dot)com>
Cc:	Masahiko Sawada <masahiko(dot)sawada(at)2ndquadrant(dot)com>, Fabien COELHO <coelho(at)cri(dot)ensmp(dot)fr>, Cary Huang <cary(dot)huang(at)highgo(dot)ca>, Ahsan Hadi <ahsan(dot)hadi(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "Moon, Insung" <tsukiwamoon(dot)pgsql(at)gmail(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Sehrope Sarkuni <sehrope(at)jackdb(dot)com>, cary huang <hcary328(at)gmail(dot)com>, Ibrar Ahmed <ibrar(dot)ahmad(at)gmail(dot)com>, Joe Conway <mail(at)joeconway(dot)com>
Subject:	Re: Internal key management system
Date:	2020-10-27 11:15:25
Message-ID:	20201027111525.GJ4951@momjian.us
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On Mon, Oct 26, 2020 at 10:05:10PM +0800, Craig Ringer wrote:
> For example if I want to lock my database with a YubiHSM I would configure
> something like:
>
> cluster_encryption_key = 'pkcs11:token=YubiHSM;id=0:0001;type=private'

Well, openssl uses a prefix before the password string, e.g.:

* pass:password
* env:var
* file:pathname
* fd:number
* stdin

See 'man openssl'. I always thought that API was ugly, but I now see
the value in it. We could implement a 'command:' prefix now, and maybe
a 'pass:' one, and allow other methods like 'pkcs11' later.

I can also imagine using the 'file' one to allow the key to be placed on
an encrypted file system that has to be mounted for Postgres to start.
You could also have the key on a USB device that has to be inserted to
be used, and the 'file' is on the USB key --- seems clearer than having
to create a script to 'cat' the file.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EnterpriseDB https://enterprisedb.com

The usefulness of a cup is in its emptiness, Bruce Lee

In response to

Re: Internal key management system at 2020-10-26 14:05:10 from Craig Ringer

Responses

Re: Internal key management system at 2020-10-27 14:02:53 from Craig Ringer

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Bruce Momjian	2020-10-27 11:34:07	Re: Internal key management system
Previous Message	Magnus Hagander	2020-10-27 11:05:25	Re: Prevent printing "next step instructions" in initdb and pg_upgrade