Re: Value of Transparent Data Encryption (TDE)

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: Bruce Momjian <bruce(at)momjian(dot)us>, Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Value of Transparent Data Encryption (TDE)
Date: 2019-10-03 14:43:21
Message-ID: 20191003144320.GZ6962@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Greetings,

* Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> On Tue, Oct 1, 2019 at 12:19 PM Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> > Just to give more detail. Initially, there was a desire to store keys
> > in only one place, either in the file system or in database tables.
> > However, it became clear that the needs of booting the server and crash
> > recovery required file system keys, and per-user/db keys were best done
> > at the SQL level, so that indexing can be used, and logical dumps
> > contain the locked keys. SQL-level storage allows databases to be
> > completely independent of other databases in terms of key storage and
> > usage.
>
> Wait, we're going to store the encryption keys with the database? It
> seems like you're debating whether to store your front door keys under
> the doormat or in a fake rock by the side of the path, when what you
> really ought to be doing is keeping them physically separated from the
> house, like in your pocket or your purse.

This isn't news and shouldn't be shocking- databases which support TDE
all have a vaulting system for managing the keys and, yes, that's stored
with the database.

> It seems to me that the right design is that there's a configurable
> mechanism for PostgreSQL to request keys from someplace outside the
> database, and that other place is responsible for storing the keys
> securely and not losing them. Probably, it's a key-server of some kind
> running on another machine, but if you really want you can do
> something insecure instead, like getting them from the local
> filesystem.

I support the option to have an external vault that's used, but I don't
believe that should be a requirement and I don't think that removes the
need to have a vaulting system of our own, so we can have a stand-alone
TDE solution.

> I admit I haven't been following the threads on this topic, but this
> just seems like a really strange idea.

It's not new and it's how TDE works in all of the other database systems
which support it.

Thanks,

Stephen

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tomas Vondra 2019-10-03 15:08:46 Re: Value of Transparent Data Encryption (TDE)
Previous Message Stephen Frost 2019-10-03 14:40:40 Re: Transparent Data Encryption (TDE) and encrypted files