Quick Links

Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS)

From:	Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com>
To:	Joe Conway <mail(at)joeconway(dot)com>
Cc:	Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Bruce Momjian <bruce(at)momjian(dot)us>, Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Antonin Houska <ah(at)cybertec(dot)at>, Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com>, "Moon, Insung" <Moon_Insung_i3(at)lab(dot)ntt(dot)co(dot)jp>, Ibrar Ahmed <ibrar(dot)ahmad(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS)
Date:	2019-07-10 06:38:54
Message-ID:	CAD21AoBavQ1i1KVz0ndZHJsdFuVMEXKHSq9YVHatcTBhGy8nHA@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On Tue, Jul 9, 2019 at 9:01 PM Joe Conway <mail(at)joeconway(dot)com> wrote:
>
> On 7/9/19 6:07 AM, Peter Eisentraut wrote:
> > On 2019-07-08 18:09, Joe Conway wrote:
> >> In my mind, and in practice to a
> >> large extent, a postgres tablespace == a unique mount point.
> >
> > But a critical difference is that in file systems, a separate mount
> > point has its own journal.
>
> While it would be ideal to have separate WAL, and even separate shared
> buffer pools, per tablespace, I think that is too much complexity for
> the first implementation and we could have a single separate key for all
> WAL for now.

If we encrypt different tables with different keys I think we need to
encrypt WAL with the same keys as we used for tables, as per
discussion so far. And we would need to encrypt each WAL records, not
whole WAL 8k pages.

Regards,

--
Masahiko Sawada
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

In response to

Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) at 2019-07-09 12:01:35 from Joe Conway

Responses

Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) at 2019-07-10 11:43:11 from Joe Conway
Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) at 2019-07-10 14:32:20 from Tomas Vondra

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Masahiko Sawada	2019-07-10 06:40:13	Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS)
Previous Message	Fabien COELHO	2019-07-10 06:32:56	Re: pgbench - add \aset to store results of a combined query