From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Ryan Lambert <ryan(at)rustprooflabs(dot)com> |
Cc: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, Joe Conway <mail(at)joeconway(dot)com>, Antonin Houska <ah(at)cybertec(dot)at>, Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com>, Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com>, "Moon, Insung" <Moon_Insung_i3(at)lab(dot)ntt(dot)co(dot)jp>, Ibrar Ahmed <ibrar(dot)ahmad(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |
Date: | 2019-07-10 18:41:42 |
Message-ID: | 20190710184142.GS29202@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Greetings,
* Ryan Lambert (ryan(at)rustprooflabs(dot)com) wrote:
> > what is it that gets stored in the page for
> > decryption use, the nonce or the IV derived from it?
>
> I believe storing the IV is preferable and still secure per [1]: "The IV
> need not be secret"
>
> Beyond needing the database oid, if every decrypt function has to
> regenerate the IV from the nonce that will affect performance. I don't
> know how expensive the forward hash is but it won't be free.
Compared to the syscall and possible disk i/o required, I'm not sure
that's something we really need to try to optimize for, particularly if
we could store something more generally useful (like the LSN) in that
little bit of space that's available in each page.
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2019-07-10 18:41:44 | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |
Previous Message | Ryan Lambert | 2019-07-10 18:38:02 | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |