Quick Links

Re: Internal key management system

From:	Craig Ringer <craig(dot)ringer(at)enterprisedb(dot)com>
To:	Bruce Momjian <bruce(at)momjian(dot)us>
Cc:	Masahiko Sawada <masahiko(dot)sawada(at)2ndquadrant(dot)com>, Fabien COELHO <coelho(at)cri(dot)ensmp(dot)fr>, Cary Huang <cary(dot)huang(at)highgo(dot)ca>, Ahsan Hadi <ahsan(dot)hadi(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "Moon, Insung" <tsukiwamoon(dot)pgsql(at)gmail(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Sehrope Sarkuni <sehrope(at)jackdb(dot)com>, cary huang <hcary328(at)gmail(dot)com>, Ibrar Ahmed <ibrar(dot)ahmad(at)gmail(dot)com>, Joe Conway <mail(at)joeconway(dot)com>
Subject:	Re: Internal key management system
Date:	2020-10-28 04:02:46
Message-ID:	CAGRY4nw98=WB89BpWgvNU9vGHVz_ZNCqWWRierCA_9924SVLfg@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On Wed, Oct 28, 2020 at 9:43 AM Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>

> I don't know much about how to hook into that stuff so if you have an
> idea, I am all ears.

Yeah, I have a reasonable idea. The main thing will be to re-read the patch
and put it into more concrete terms, which I'll try to find time for soon.
I need to find time to craft a proper demo that uses a virtual hsm, and can
also demonstrate how to use the host TPM or a Yubikey using the simple
openssl engine interfaces or a URI.

I have used OpenSSL with Yubikey via pksc11. You
> can see the use of it on slide 57 and following:
>
> https://momjian.us/main/writings/crypto_hw_config.pdf#page=57
>
> Interestingly, that still needed the user to type in a key to unlock the
> Yubikey, so we might need PKCS11 and a password for the same server
> start.
>

Yes, that's possible. But in that case the passphrase will be asked for by
openssl only when required, and we'll need to supply an openssl askpass
hook.

In response to

Re: Internal key management system at 2020-10-28 01:43:14 from Bruce Momjian

Responses

Re: Internal key management system at 2020-10-28 09:16:32 from Craig Ringer
Re: Internal key management system at 2020-10-28 18:29:16 from Bruce Momjian

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	osumi.takamichi@fujitsu.com	2020-10-28 04:11:28	RE: Disable WAL logging to speed up data loading
Previous Message	Andres Freund	2020-10-28 03:51:10	Re: recovering from "found xmin ... from before relfrozenxid ..."