| From: | Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> |
|---|---|
| To: | Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com> |
| Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Transparent column encryption |
| Date: | 2022-08-30 11:40:43 |
| Message-ID: | d26a2144-9b77-7d0b-1206-467d83db87a0@enterprisedb.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 20.07.22 08:12, Masahiko Sawada wrote:
> ---
> Regarding the documentation, I'd like to have a page that describes
> the generic information of the transparent column encryption for users
> such as what this feature actually does, what can be achieved by this
> feature, CMK rotation, and its known limitations. The patch has
> "Transparent Column Encryption" section in protocol.sgml but it seems
> to be more internal information.
I have added more documentation in the v6 patch.
> ---
> In datatype.sgml, it says "Thus, clients that don't support
> transparent column encryption or have disabled it will see the
> encrypted values as byte arrays." but I got an error rather than
> encrypted values when I tried to connect to the server using by
> clients that don't support the encryption:
>
> postgres(1:6040)=# select * from tbl;
> no CMK lookup found for realm ""
This has now been improved in v6. The protocol changes need to be
activated explicitly at connection time, so if you use a client that
doesn't support it or activates it, you get the described behavior.
> ---
> In single-user mode, the user cannot decrypt the encrypted value but
> probably it's fine in practice.
Yes, there is nothing really to do about that.
> ---
> Regarding the column master key rotation, would it be useful if we
> provide a tool for that? For example, it takes old and new CMK as
> input, re-encrypt all CEKs realted to the CMK, and registers them to
> the server.
I imagine users using a variety of key management systems, so I don't
see how a single tool would work. But it's something we can think about
in the future.
> ---
> Is there any convenient way to load a large amount of test data to the
> encrypted columns? I tried to use generate_series() but it seems not
> to work as it generates the data on the server side:
No, that doesn't work, by design. You'd have to write a client program
to generate the data.
> I've also tried to load the data from a file on the client by using
> \copy command, but it seems not to work:
>
> postgres(1:80556)=# copy (select generate_series(1, 1000)::text) to
> '/tmp/tmp.dat';
> COPY 1000
> postgres(1:80556)=# \copy a from '/tmp/tmp.dat'
> COPY 1000
> postgres(1:80556)=# select * from a;
> out out memory
This was a bug that I have fixed.
> ---
> I got SEGV in the following two situations:
I have fixed these.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Kapila | 2022-08-30 11:51:07 | Re: Perform streaming logical transactions by background workers and parallel apply |
| Previous Message | Peter Eisentraut | 2022-08-30 11:35:43 | Re: Transparent column encryption |