Re: WIP: Data at rest encryption

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Ants Aasma <ants(dot)aasma(at)eesti(dot)ee>, Robert Haas <robertmhaas(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: WIP: Data at rest encryption
Date: 2017-06-14 14:53:12
Message-ID: 20170614145312.GB4750@momjian.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Tue, Jun 13, 2017 at 06:29:20PM -0400, Stephen Frost wrote:
> > Isn't the leakage controlled by OS permissions, so is it really leakage,
> > i.e., if you can see the leakage, you probably have bypassed the OS
> > permissions and see the key and data anyway.
>
> The case I'm mainly considering is if you somehow lose control over the
> medium in which the encrypted database resides- that is, someone steals
> the hard drive, or perhaps the hard drive is sold without properly being
> wiped first, things like that.
>
> In such a case, there's no OS permissions to bypass because the OS is
> now controlled by the attacker. In that case, if the key wasn't stored
> on the hard drive, then the attacker would be able to see the contents
> of the filesystem and the associated metadata, but not the contents of
> the cluster.
>
> In that case, the distinction between filesystem-level encryption and
> PG-level encryption is that with filesystem-level encryption the
> attacker wouldn't be able to even see what files exist or any metadata
> about them, whereas with PG-level encryption that information would be
> available to the attacker.

Yes, Peter Eisentraut pointed that out in an earlier email in this
thread. Thanks.

> > > > The benefit is allowing configuration
> > > > in the database rather than the OS?
> > >
> > > No, the benefit is that the database administrator can configure it and
> > > set it up and not have to get an OS-level administrator involved. There
> > > may also be other reasons why filesystem-level encryption is difficult
> > > to set up or use in a certain environment, but this wouldn't depend on
> > > anything OS-related and therefore could be done.
> >
> > OK, my only point here is that we are going down a slippery slope of
> > implementing OS things in the database. There is nothing wrong with
> > that but it has often been something we have avoided, because of the
> > added complexity required in the db server.
>
> I'm not sure that I actually agree that encryption is really solely an
> OS-level function, or even that encryption at rest is solely the OS's
> job. As a counter-example, I encrypt my SSH keys and GPG keys
> routinely, even when I'm using OS-level filesystem encryption. Perhaps
> that's excessive of me, but, well, I don't find it so. :)

Well, I think SSH and GPG keys are a case of selective encryption, which
is where I said database encryption could really be a win, because you
can't do that outside the database. Just to go crazy, here is something
I think would be cool for a fully or partially encrypted data row:

row data encrypted with symmetric key k
k encrypted with public key of user 1
k encrypted with public key of user 2
hash of previous fields signed by insert user

The would allow the insert user complete control over who sees the row.
The database administrator could corrupt the row or add/remove users,
but that would be detected by the hash signature being invalid. This is
kind of like TLS bundled in the database. I think this is actually all
possible now too. :-)

> > As a counter-example, we only added an external collation library to
> > Postgres when we clearly saw a benefit, e.g. detecting collation
> > changes.
>
> Right, and there's also the potential for adding more flexibility down
> the road, which I'm certainly all for, but I see value in having even
> this initial version of the feature too.

Understood.

> > > Also, tools like pg_basebackup could be used, with nearly zero changes,
> > > I think, to get an encrypted copy of the database for backup purposes,
> > > removing the need to work out a way to handle encrypting backups.
> >
> > I do think we need much more documentation on how to encrypt things,
> > though that is a separate issue. It might help to document how you
> > _should_ do things now to see the limitations we have.
>
> Improving our documentation would certainly be good, but I'm not sure
> that we can really recommend specific ways of doing things like
> filesystem-level encryption, as that's really OS-dependent and there
> could be trade-offs in different ways a given OS might provide that
> capability. I'm not sure that having our documentation generically say
> "you should use filesystem-level encryption" would really be very
> helpful.
>
> Perhaps I misunderstood your suggestion here though..?

I was just throwing out the idea that sometimes writing things down
shows the gaps in our feature-set --- it might not apply here.

> > > > Is the problem that you have to encrypt before sending and decrypt on
> > > > arrival, if you don't trust the transmission link? Is that used a lot?
> > > > Is having the db encrypt every write a reasonable solution to that?
> > >
> > > There's multiple use-cases here. Making it easier to copy the database
> > > is just one of them and it isn't the biggest one. The biggest benefit
> > > is that there's cases where filesystem-level encryption isn't really an
> > > option or, even if it is, it's not desirable for other reasons.
> >
> > I am thinking NAS storage you don't trust, though there is the leakage
> > there.
>
> Yes, NAS or SAN storage where you don't want the NAS/SAN administrators
> to have access to the data is a good example of where encryption would
> be useful. Of course, either filesystem-level or PG-level encryption
> would address that, but with the trade-off that PG-level encryption
> would allow the NAS/SAN administrators to see the file metadata, as
> discussed above.

Uh, as far as I understand it, SAN could technically use encryption
because you are sending blocks to the network storage and you could
encrypt the blocks before transfer. However, I don't think that would
work for NAS/NFS.

> > Also, has anyone asked users if they would find db-encryption better
> > than file system encryption?
>
> I've been asked for this capability multiple times from our users and
> have generally pushed back and encouraged filesystem-level encryption.
> That hasn't always been an acceptable solution, unfortunately.

Yes, it would be good to know how often that happens, and whether we
should be adjusting Postgres to address it. The idea posted of using
plugin storage for encryption seems like a cool idea, and compression
and stuff could be added. (However, I realize encryption and compression
doesn't work well because of information leakage.)

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Bruce Momjian 2017-06-14 15:05:51 Re: pgindent (was Re: [COMMITTERS] pgsql: Preventive maintenance in advance of pgindent run.)
Previous Message Tom Lane 2017-06-14 14:38:40 Re: pgindent (was Re: [COMMITTERS] pgsql: Preventive maintenance in advance of pgindent run.)