Re: storing an explicit nonce

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Bruce Momjian <bruce(at)momjian(dot)us>
Cc: Ants Aasma <ants(at)cybertec(dot)at>, Antonin Houska <ah(at)cybertec(dot)at>, Robert Haas <robertmhaas(at)gmail(dot)com>, Sasasu <i(at)sasa(dot)su>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: storing an explicit nonce
Date: 2021-10-12 12:49:28
Message-ID: 20211012124928.GF20998@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Greetings,

* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> On Tue, Oct 12, 2021 at 08:25:52AM -0400, Stephen Frost wrote:
> > * Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> > > On Tue, Oct 12, 2021 at 08:40:17AM +0300, Ants Aasma wrote:
> > > > On Mon, 11 Oct 2021 at 22:15, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> > > >
> > > > > Yes, that's the direction that I was thinking also and specifically with
> > > > > XTS as the encryption algorithm to allow us to exclude the LSN but keep
> > > > > everything else, and to address the concern around the nonce/tweak/etc
> > > > > being the same sometimes across multiple writes.  Another thing to
> > > > > consider is if we want to encrypt zero'd page.  There was a point
> > > > > brought up that if we do then we are encrypting a fair bit of very
> > > > > predictable bytes and that's not great (though there's a fair bit about
> > > > > our pages that someone could quite possibly predict anyway based on
> > > > > table structures and such...).  I would think that if it's easy enough
> > > > > to not encrypt zero'd pages that we should avoid doing so.  Don't recall
> > > > > offhand which way zero'd pages were being handled already but thought it
> > > > > made sense to mention that as part of this discussion.
> > > >
> > > > Yeah, I wanted to mention that.  I don't see any security difference
> > > > between fully-zero pages, pages with headers and no tuples, and pages
> > > > with headers and only a few tuples.  If any of those are insecure, they
> > > > all are.  Therefore, I don't see any reason to treat them differently.
> > > >
> > > >
> > > > We had to special case zero pages and not encrypt them because as far as I can
> > > > tell, there is no atomic way to extend a file and initialize it to Enc(zero) in
> > > > the same step.
> > >
> > > Oh, good point. Yeah, we will need to handle that.
> >
> > Not sure what's meant here by 'handle that', but I don't see any
> > particular reason to avoid doing exactly the same for zero pages with
> > TDE in core..? I don't think there's any reason we need to make things
> > complicated to ensure that we encrypt entirely empty pages.
>
> I thought he was saying that when you extend a file, you might have to
> extend it with all zeros, rather than being able to extend it with
> an actual encrypted page of zeros. For example, I think when a page is
> corrupt in storage, it reads back as a fully zero page, and we would
> need to handle that. Are you saying we already have logic to handle
> that so we don't need to change anything?

When we extend a file, it gets extended with all zeros. PG already
handles that case, PG w/ TDE would need to also recognize that case
(which is what Ants was saying their patch does) and handle it. In
other words, we just need to realize when a page is all zeros and not
try to decrypt it when we're reading it. Ants' patch does that and my
recollection is that it wasn't very complicated to do, and that seems
much simpler than trying to figure out a way to ensure we do encrypt a
zero'd page as part of extending a file.

Thanks,

Stephen

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Dilip Kumar 2021-10-12 12:51:08 Question about building an exportable snapshop
Previous Message Bruce Momjian 2021-10-12 12:32:59 Re: storing an explicit nonce