From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | Michael Paquier <michael(at)paquier(dot)xyz> |
Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Masahiko Sawada <masahiko(dot)sawada(at)2ndquadrant(dot)com> |
Subject: | Re: Proposed patch for key managment |
Date: | 2020-12-10 01:40:50 |
Message-ID: | 20201210014050.GA13515@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Fri, Dec 4, 2020 at 10:32:45PM -0500, Bruce Momjian wrote:
> I can break out the -R/file descriptor passing part as a separate patch,
> and have the ssl_passphrase_command use that, but that's the only part I
> know can be useful on its own.
>
> Since the patch is large, I found a way to push the branch to git and
> how to make a download link that tracks whatever I push to the 'key'
> branch on my github account. Here is the updated patch link:
>
> https://github.com/postgres/postgres/compare/master...bmomjian:key.diff
I have made some good progress on the patch. I realized that pg_upgrade
can't just copy the keys from the old cluster --- they encrypt the user
heap/index files that are copied/linked by pg_upgrade, but also encrypt
the system tables, which initdb creates, so the keys have to be copied
at initdb bootstrap time --- I have added an option to do that. I also
realized that pg_upgrade will be starting/stopping the server, so I need
to add an option to pg_upgrade to allow that prompting. I can now
successfully pg_upgrade a cluster that uses cluster file encryption, and
keep the same keys. All at the same URL.
In addition I have completed the command-line tool to allow changing of
the cluster passphrase, which applies over the first diff; diff at:
https://github.com/bmomjian/postgres/compare/key...bmomjian:key-alter.diff
My next task is to write a script for Yubikey authentication.
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EnterpriseDB https://enterprisedb.com
The usefulness of a cup is in its emptiness, Bruce Lee
From | Date | Subject | |
---|---|---|---|
Next Message | Kyotaro Horiguchi | 2020-12-10 01:41:06 | Re: [Patch] Optimize dropping of relation buffers using dlist |
Previous Message | tsunakawa.takay@fujitsu.com | 2020-12-10 01:39:41 | RE: [bug fix] ALTER TABLE SET LOGGED/UNLOGGED on a partitioned table does nothing silently |