| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Antonin Houska <ah(at)cybertec(dot)at> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com>, Joe Conway <mail(at)joeconway(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com>, Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com>, "Moon, Insung" <Moon_Insung_i3(at)lab(dot)ntt(dot)co(dot)jp>, Ibrar Ahmed <ibrar(dot)ahmad(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |
| Date: | 2019-11-07 01:19:49 |
| Message-ID: | 20191107011949.GA5682@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sat, Nov 2, 2019 at 01:34:41PM +0100, Antonin Houska wrote:
> Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
>
> > On Tue, Aug 6, 2019 at 10:36 AM Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>
> > Seems reasonable (not that I am an encryption expert).
> >
> > > For WAL, we effectively create a 16MB bitstream, though we can create it
> > > in parts as needed. (Creating it in parts is easier in CTR mode.) The
> > > nonce is the segment number, but each 16-byte chunk uses a different
> > > counter. Therefore, even if you are encrypting the same 8k page several
> > > times in the WAL, the 8k page would be different because of the LSN (and
> > > other changes), and the bitstream you encrypt/XOR it with would be
> > > different because the counter would be different for that offset in the
> > > WAL.
> >
> > But, if you encrypt the same WAL page several times, the LSN won't
> > change, because a WAL page doesn't have an LSN on it, and if it did,
> > it wouldn't be changing, because an LSN is just a position within the
> > WAL stream, so any given byte on any given WAL page always has the
> > same LSN, whatever it is.
> >
> > And if the counter value changed on re-encryption, I don't see how
> > we'd know what counter value to use when decrypting. There's no way
> > for the code that is decrypting to know how many times the page got
> > rewritten as it was being filled.
> >
> > Please correct me if I'm being stupid here.
>
> In my implementation (I haven't checked whether Masahiko Sawada changed this
> in his patch) I avoided repeated encryption of different data using the same
> key+IV by omitting the unused part of the WAL page from encryption. Already
> written records can be encrypted repeatedly because they do not change.
Right. Even though AES with CTR generates encryption bit patterns in
16-byte chunks, you only XOR the bytes you have written. So, if the WAL
record is 167 bytes, you generate 11 16-byte patterns, but you only XOR
the first seven bytes of the 11th 16-byte block. CTR is not like CBC
which has to encrypt in 16-byte chunks.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2019-11-07 01:23:56 | Re: ssl passphrase callback |
| Previous Message | Andrew Dunstan | 2019-11-07 00:57:00 | Re: TAP tests aren't using the magic words for Windows file access |