| From: | Joe Conway <mail(at)joeconway(dot)com> |
|---|---|
| To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com>, Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Antonin Houska <ah(at)cybertec(dot)at>, Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com>, "Moon, Insung" <Moon_Insung_i3(at)lab(dot)ntt(dot)co(dot)jp>, Ibrar Ahmed <ibrar(dot)ahmad(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |
| Date: | 2019-07-08 16:09:58 |
| Message-ID: | 832657a1-b27a-a33a-5bc2-ce420f95f4be@joeconway.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 7/8/19 11:56 AM, Peter Eisentraut wrote:
> On 2019-07-08 17:47, Stephen Frost wrote:
>> Of course, we can discuss if what websites do with over-the-wire
>> encryption is sensible to compare to what we want to do in PG for
>> data-at-rest, but then we shouldn't be talking about what websites do,
>> it'd make more sense to look at other data-at-rest encryption systems
>> and consider what they're doing.
>
> So, how do encrypted file systems do it? Are there any encrypted file
> systems in general use that allow encrypting only some files or
> encrypting different parts of the file system with different keys, or
> any of those other granular approaches being discussed?
Well it is fairly common, for good reason IMHO, to encrypt some mount
points and not others on a system. In my mind, and in practice to a
large extent, a postgres tablespace == a unique mount point.
There is a description here:
https://wiki.archlinux.org/index.php/Disk_encryption
A pertinent quote:
----
After it has been derived, the master key is securely stored in memory
(e.g. in a kernel keyring), for as long as the encrypted block device or
folder is mounted.
It is usually not used for de/encrypting the disk data directly, though.
For example, in the case of stacked filesystem encryption, each file can
be automatically assigned its own encryption key. Whenever the file is
to be read/modified, this file key first needs to be decrypted using the
main key, before it can itself be used to de/encrypt the file contents:
╭┈┈┈┈┈┈┈┈┈┈┈┈╮
┊ master key ┊
file on disk: ╰┈┈┈┈┈┬┈┈┈┈┈┈╯
┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┐ │
╎╭───────────────────╮╎ ▼ ╭┈┈┈┈┈┈┈┈┈┈╮
╎│ encrypted file key│━━━━(decryption)━━━▶┊ file key ┊
╎╰───────────────────╯╎ ╰┈┈┈┈┬┈┈┈┈┈╯
╎┌───────────────────┐╎ ▼
┌┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈┐
╎│ encrypted file │◀━━━━━━━━━━━━━━━━━(de/encryption)━━━▶┊ readable
file ┊
╎│ contents │╎ ┊ contents
┊
╎└───────────────────┘╎
└┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈┘
└ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┘
In a similar manner, a separate key (e.g. one per folder) may be used
for the encryption of file names in the case of stacked filesystem
encryption.
----
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2019-07-08 16:16:04 | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |
| Previous Message | James Coleman | 2019-07-08 16:07:06 | Re: [PATCH] Incremental sort (was: PoC: Partial sort) |