| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Alastair Turner <minion(at)decodable(dot)me>, Michael Paquier <michael(at)paquier(dot)xyz>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Masahiko Sawada <masahiko(dot)sawada(at)2ndquadrant(dot)com> |
| Subject: | Re: Proposed patch for key managment |
| Date: | 2020-12-22 03:07:48 |
| Message-ID: | 20201222030748.GN28841@momjian.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Dec 21, 2020 at 04:35:14PM -0500, Bruce Momjian wrote:
> On Sun, Dec 20, 2020 at 05:59:09PM -0500, Stephen Frost wrote:
> OK, here it the updated patch. The major change, as Stephen pointed
> out, is that the cluser_key_command (was cluster_passphrase_command) now
> returns a hex-string representing the 32-byte KEK, rather than having
> the server hash whatever the command used to return. This avoids
> double-hashing in cases where you are _not_ using a passphrase, but are
> computing a random 32-byte value in the script. This does mean the
> script has to run sha256 for passphrases, but it seems like a win.
> Updated script are attached too.
Attached is the script patch. It is also at:
https://github.com/postgres/postgres/compare/master...bmomjian:cfe-sh.diff
I think it still needs docs but those will have to be done after the
code doc patch is added.
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EnterpriseDB https://enterprisedb.com
The usefulness of a cup is in its emptiness, Bruce Lee
| Attachment | Content-Type | Size |
|---|---|---|
| auth_key_cmds.diff | text/x-diff | 11.6 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | wenjing | 2020-12-22 03:20:41 | Re: [Proposal] Global temporary tables |
| Previous Message | tsunakawa.takay@fujitsu.com | 2020-12-22 03:03:23 | RE: [Patch] Optimize dropping of relation buffers using dlist |