Quick Links

Re: Internal key management system

From:	Bruce Momjian <bruce(at)momjian(dot)us>
To:	Craig Ringer <craig(dot)ringer(at)enterprisedb(dot)com>
Cc:	Masahiko Sawada <masahiko(dot)sawada(at)2ndquadrant(dot)com>, Fabien COELHO <coelho(at)cri(dot)ensmp(dot)fr>, Cary Huang <cary(dot)huang(at)highgo(dot)ca>, Ahsan Hadi <ahsan(dot)hadi(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "Moon, Insung" <tsukiwamoon(dot)pgsql(at)gmail(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Sehrope Sarkuni <sehrope(at)jackdb(dot)com>, cary huang <hcary328(at)gmail(dot)com>, Ibrar Ahmed <ibrar(dot)ahmad(at)gmail(dot)com>, Joe Conway <mail(at)joeconway(dot)com>
Subject:	Re: Internal key management system
Date:	2020-10-27 14:20:35
Message-ID:	20201027142035.GM4951@momjian.us
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On Tue, Oct 27, 2020 at 10:02:53PM +0800, Craig Ringer wrote:
> On Tue, 27 Oct 2020, 19:15 Bruce Momjian, <bruce(at)momjian(dot)us> wrote:
> We don't need to do anything except provide a way to tell OpenSSL where to get
> the KEK from, for situations where having Pg generate it internally
> undesirable.
>
> I proposed a simple GUC that we could supply to OpenSSL as a key path because
> it's simple. It's definitely not best.
>
> In my prior mail I outlined what I think is a better way. Abstract key key
> initialisation - passphrase fetching KEK/HMAC loading and all of it - behind a
> pluggable interface. Looking at the patch, it's mostly there already. We just
> need a way to hook the key loading and setup so it can be overridden to use
> whatever method is required. Then KEK operations to encrypt and decrypt the
> heap and WAL keys happen via that abstraction.
>
> That way Pg does not have to care about the details of hardware key management,
> PKCS#11 or OpenSSL engines, etc.
>
> A little thought is needed to make key rotation work well. Especially when you
> want to switch from cluster passphrase to a plugin that supports use of a HVM
> escrowed key, or vice versa.
>
> But most of what's needed looks like it's there already. It's just down to
> making sure the key loading and initialisation is overrideable.

I don't know much about how to hook into that stuff so if you have an
idea, I am all ears. I have used OpenSSL with Yubikey via pksc11. You
can see the use of it on slide 57 and following:

https://momjian.us/main/writings/crypto_hw_config.pdf#page=57

Interestingly, that still needed the user to type in a key to unlock the
Yubikey, so we might need PKCS11 and a password for the same server
start.

I would like to get this moving forward so I will work on the idea of
passing an open /dev/tty file descriptor from pg_ctl to the postmaster
on start.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EnterpriseDB https://enterprisedb.com

The usefulness of a cup is in its emptiness, Bruce Lee

In response to

Re: Internal key management system at 2020-10-27 14:02:53 from Craig Ringer

Responses

Re: Internal key management system at 2020-10-28 01:43:14 from Bruce Momjian

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Dilip Kumar	2020-10-27 14:22:50	Re: Re: parallel distinct union and aggregate support patch
Previous Message	Tom Lane	2020-10-27 14:19:34	Re: Question about make coverage-html