From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Alastair Turner <minion(at)decodable(dot)me>, Michael Paquier <michael(at)paquier(dot)xyz>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Masahiko Sawada <masahiko(dot)sawada(at)2ndquadrant(dot)com> |
Subject: | Re: Proposed patch for key managment |
Date: | 2020-12-22 03:07:48 |
Message-ID: | 20201222030748.GN28841@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Dec 21, 2020 at 04:35:14PM -0500, Bruce Momjian wrote:
> On Sun, Dec 20, 2020 at 05:59:09PM -0500, Stephen Frost wrote:
> OK, here it the updated patch. The major change, as Stephen pointed
> out, is that the cluser_key_command (was cluster_passphrase_command) now
> returns a hex-string representing the 32-byte KEK, rather than having
> the server hash whatever the command used to return. This avoids
> double-hashing in cases where you are _not_ using a passphrase, but are
> computing a random 32-byte value in the script. This does mean the
> script has to run sha256 for passphrases, but it seems like a win.
> Updated script are attached too.
Attached is the script patch. It is also at:
https://github.com/postgres/postgres/compare/master...bmomjian:cfe-sh.diff
I think it still needs docs but those will have to be done after the
code doc patch is added.
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EnterpriseDB https://enterprisedb.com
The usefulness of a cup is in its emptiness, Bruce Lee
Attachment | Content-Type | Size |
---|---|---|
auth_key_cmds.diff | text/x-diff | 11.6 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | wenjing | 2020-12-22 03:20:41 | Re: [Proposal] Global temporary tables |
Previous Message | tsunakawa.takay@fujitsu.com | 2020-12-22 03:03:23 | RE: [Patch] Optimize dropping of relation buffers using dlist |