Re: storing an explicit nonce

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Andres Freund <andres(at)anarazel(dot)de>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, Alvaro Herrera <alvherre(at)alvh(dot)no-ip(dot)org>, Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com>, Tom Kincaid <tomjohnkincaid(at)gmail(dot)com>, Amit Kapila <amit(dot)kapila16(at)gmail(dot)com>, Thomas Munro <thomas(dot)munro(at)gmail(dot)com>, PostgreSQL Development <pgsql-hackers(at)postgresql(dot)org>, Masahiko Sawada <masahiko(dot)sawada(at)2ndquadrant(dot)com>
Subject: Re: storing an explicit nonce
Date: 2021-05-27 17:26:11
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers


* Andres Freund (andres(at)anarazel(dot)de) wrote:
> On 2021-05-27 12:49:15 -0400, Stephen Frost wrote:
> > That's not really a reason to rule it out though and Bruce's point about
> > having a way to get to an encrypted cluster from an unencrypted one is
> > certainly worth consideration. Naturally, we'd need to document
> > everything appropriately but there isn't anything saying that we
> > couldn't, say, have XTS in v15 without any adjustments to the page
> > layout, accepting that there's no data integrity validation and focusing
> > just on encryption, and then returning to the question about adding in
> > data integrity validation for a future version, perhaps using the
> > special area for a nonce+tag with GCM or maybe something else. Users
> > who wish to move to a cluster with encryption and data integrity
> > validation would have to get there through some other means than
> > replication, but that's going to always be the case because we have to
> > have space to store the tag, even if we can figure out some other
> > solution for the nonce.
> But won't we then end up with a different set of requirements around
> nonce assignment durability when introducing GCM support? That's not
> actually entirely trivial to do correctly on a standby. I guess we can
> use AES-GCM-SSIV and be ok with living with edge cases leading to nonce
> reuse, but ...

Not sure if I'm entirely following the question but I would have thought
the up-thread idea of generating a random part of the nonce for each
start up and then a global counter for the rest, which would be written
whenever the page is updated (meaning it wouldn't have anything to do
with the LSN and would be stored in the special area as Robert
contemplated) would work for both primaries and replicas.

Taking a step back, while I like the idea of trying to think through
these complications in a future world where we add GCM support, if we're
actually agreed on seriously looking at XTS for v15 then maybe we should
focus on that for the moment. As Bruce says, there's a lot of moving
parts in this patch that likely need discussion and agreement in order
for us to be able to move forward with it. For one, we'd probably want
to get agreement on what we'd use to construct the tweak, for starters.



In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2021-05-27 17:34:04 Re: Reducing the range of OIDs consumed by
Previous Message John Naylor 2021-05-27 17:09:59 Re: Reducing the range of OIDs consumed by