Re: Value of Transparent Data Encryption (TDE)

On Thu, Oct 03, 2019 at 10:43:21AM -0400, Stephen Frost wrote:
>Greetings,
>
>* Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
>> On Tue, Oct 1, 2019 at 12:19 PM Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>> > Just to give more detail. Initially, there was a desire to store keys
>> > in only one place, either in the file system or in database tables.
>> > However, it became clear that the needs of booting the server and crash
>> > recovery required file system keys, and per-user/db keys were best done
>> > at the SQL level, so that indexing can be used, and logical dumps
>> > contain the locked keys. SQL-level storage allows databases to be
>> > completely independent of other databases in terms of key storage and
>> > usage.
>>
>> Wait, we're going to store the encryption keys with the database? It
>> seems like you're debating whether to store your front door keys under
>> the doormat or in a fake rock by the side of the path, when what you
>> really ought to be doing is keeping them physically separated from the
>> house, like in your pocket or your purse.
>
>This isn't news and shouldn't be shocking- databases which support TDE
>all have a vaulting system for managing the keys and, yes, that's stored
>with the database.
>

Right. The important bit here is that the vault is encrypted, and has to
be unlocked using a passphrase (or something like that) when starting
the database. So it's not really as silly as a key under the doormat.

>> It seems to me that the right design is that there's a configurable
>> mechanism for PostgreSQL to request keys from someplace outside the
>> database, and that other place is responsible for storing the keys
>> securely and not losing them. Probably, it's a key-server of some kind
>> running on another machine, but if you really want you can do
>> something insecure instead, like getting them from the local
>> filesystem.
>
>I support the option to have an external vault that's used, but I don't
>believe that should be a requirement and I don't think that removes the
>need to have a vaulting system of our own, so we can have a stand-alone
>TDE solution.
>

Right. If anything, we need a local vault that we could use for testing.
In other cases it might be a simple wrapper for a vault/keyring provided
by the operating system (if it's good enough for gpg keys ...).

>> I admit I haven't been following the threads on this topic, but this
>> just seems like a really strange idea.
>
>It's not new and it's how TDE works in all of the other database systems
>which support it.
>

Yep.

regards

--
Tomas Vondra http://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services