| From: | Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com>, "Moon, Insung" <Moon_Insung_i3(at)lab(dot)ntt(dot)co(dot)jp>, Ibrar Ahmed <ibrar(dot)ahmad(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |
| Date: | 2019-03-01 20:52:39 |
| Message-ID: | CAJrrPGe11C9AgNgayDHzhokx-5p1MPF_f=N0XaSpbPt+b=+qDQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sat, Mar 2, 2019 at 7:27 AM Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> On Thu, Feb 7, 2019 at 3:28 AM Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com>
> wrote:
> > WAL encryption will follow as an additional feature.
>
> I don't think WAL encryption is an optional feature. You can argue
> about whether it's useful to encrypt the disk files in the first place
> given that there's no privilege boundary between the OS user and the
> database, but a lot of people seem to think it is and maybe they're
> right. However, who can justify encrypting only SOME of the disk
> files and not others? I mean, maybe you could justify not encryption
> the SLRU files on the grounds that they probably don't leak much in
> the way of interesting information, but the WAL files certainly do --
> your data is there, just as much as in the data files themselves.
>
+1
WAL encryption is not optional, it must be encrypted.
> To be honest, I think there is a lot to like about the patches
> Cybertec has proposed. Those patches don't have all of the fancy
> key-management stuff that you are proposing here, but maybe that
> stuff, if we want it, could be added, rather than starting over from
> scratch. It seems to me that those patches get a lot of things right.
> In particular, it looked to me when I looked at them like they made a
> pretty determined effort to encrypt every byte that might go down to
> the disk. It seems to me that you if you want encryption, you want
> that.
>
The Cybertec proposed patches are doing the encryption at the instance
level, AFAIK, the current discussion is also trying to reduce the scope of
the
encryption to object level like (tablesapce, database or table) to avoid
the encryption
performance impact for the databases, tables that don't need it.
IMO, the entire performance of encryption depends on WAL encryption, whether
we choose instance level or object level encryption.
As WAL is not an optional encryption, even if the encryption is set to
object
level, the corresponding objects WAL needs to be encrypted, so this should
be
done at the WAL insertion not at WAL write to disk, because some entries are
not encrypted and some not. Or may be something like encrypting entire WAL
even if one object is set for encryption.
Regards,
Haribabu Kommi
Fujitsu Australia
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2019-03-01 21:17:15 | Re: "WIP: Data at rest encryption" patch and, PostgreSQL 11-beta3 |
| Previous Message | Matt Pulver | 2019-03-01 20:49:00 | Re: Infinity vs Error for division by zero |