From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | Neil Chen <carpenter(dot)nail(dot)cz(at)gmail(dot)com> |
Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Masahiko Sawada <masahiko(dot)sawada(at)2ndquadrant(dot)com> |
Subject: | Re: Proposed patch for key managment |
Date: | 2020-12-11 01:32:39 |
Message-ID: | 20201211013239.GD13515@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, Dec 10, 2020 at 07:26:48PM +0800, Neil Chen wrote:
>
>
> Hi, everyone
>
> I have read the patch and did some simple tests. I'm not entirely sure
> about some code segments; e.g.:
>
> In the BootStrapKmgr() we generate a data encryption key by:
> key = generate_crypto_key(file_encryption_keylen);
>
> However, I found that the file_encryption_keylen is always 0 in bootstrap
> mode because there exitst another variable bootstrap_file_encryption_keylen
> in xlog.c and bootstrap.c.
Oh, good point; that is very helpful. I was relying on SetConfigOption
to set file_encryption_keylen, but that happens _after_ we create the
keys, so they were zero length. I have fixed this by passing
bootstrap_file_encryption_keylen to the boot routines. The diff URL has
the fix:
https://github.com/postgres/postgres/compare/master...bmomjian:key.diff
> We get the REL/WAL key by KmgrGetKey() call and it works like:
> return (const CryptoKey *) &(KmgrShmem->intlKeys[id]);
>
> But in bootstrap mode, the KmgrShmem are not assigned. So, if we want to
> use it to encrypt something in bootstrap mode, I suggest we make the
> following changes:
> if ( in bootstrap mode)
> return intlKeys[id]; // a static variable which contains key
> else
> reutrn (const CryptoKey *) &(KmgrShmem->intlKeys[id]);
Yes, you are also correct here. I had not gotten to using KmgrGetKey
yet, but it clearly needs your suggestion, so have done that.
Thanks for your help.
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EnterpriseDB https://enterprisedb.com
The usefulness of a cup is in its emptiness, Bruce Lee
From | Date | Subject | |
---|---|---|---|
Next Message | Bharath Rupireddy | 2020-12-11 01:54:41 | Re: Fail Fast In CTAS/CMV If Relation Already Exists To Avoid Unnecessary Rewrite, Planning Costs |
Previous Message | Amit Kapila | 2020-12-11 01:26:57 | Re: [Patch] Optimize dropping of relation buffers using dlist |