From: | Pavlo Golub <pavlo(dot)golub(at)cybertec(dot)at> |
---|---|
To: | Antonin Houska <ah(at)cybertec(dot)at>, Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | Toshi Harada <harada(dot)toshi(at)po(dot)ntt-tx(dot)co(dot)jp>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: "WIP: Data at rest encryption" patch and, PostgreSQL 11-beta3 |
Date: | 2019-06-06 10:58:39 |
Message-ID: | 457444826.20190606135839@cybertec.at |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Greetings, Antonin.
You wrote 2019-06-05, 15:32:
> Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
>> On Fri, May 31, 2019 at 2:59 AM Antonin Houska <ah(at)cybertec(dot)at> wrote:
>> > > Sounds good. I'm not quite sure how this is going to work. Ideally
>> > > you'd like the encryption key command to fetch the key from something
>> > > like ssh-agent, or maybe pop up a window on the user's terminal with a
>> > > key prompt. Just reading from stdin and writing to stdout is not
>> > > going to be very convenient...
>> >
>> > When I mentioned writing to stdout in my previous email, I viewed it from the
>> > perspective of postmaster: whichever way the command gets the password from
>> > the DBA, it'll always write it to stdout and postmaster will read it from
>> > there. This was to address your objection that the executables do not actually
>> > "return" strings.
>>
>> So the part about returning strings is really just a wording issue:
>> the documentation needs to talk about data sent to stdout or wherever,
>> because that's what really happens, and somebody writing such a
>> command from scratch needs to know what it must do.
>>
>> What I'm talking about here is that it also has to be reasonably
>> possible to write an encryption key command that does something
>> useful. I don't have a really clear vision for how that's going to
>> work. Nobody wants the server, which is probably being launched by
>> pg_ctl or systemd or both, to prompt using its own stdin/stderr, but
>> the we need to think about how the prompting is actually going to
>> work.
> Since you mentioned ssh-agent above, I think that postmaster can, instead of
> running a command, create an unix socket and read the key from there. (I refer
> only to the socket as a communication channel, not to the protocol - ssh-agent
> does not seem to actually send key over the socket.) Unlike the socket for
> backend connections, this one would only be readable by the user that runs
> postmaster, and would only exist during the encryption initialization.
> The simplest approach from the perspective of the DBA is that pg_ctl can write
> the key to the socket. Besides that we can also implement a separate utility
> to send the key, to be used in other special cases such as starting postgres
> via systemd.
> (If the unix socket is a problem on windows, we might need to use named pipe
> instead.)
Yes, that definitely a problem on Windows. Pipes seems reasonable. Are
mapped files are appropriate from the security point of view?
>> > The header comment in pg_upgrade.c indicates that this is because of TOAST. So
>> > I think that dbnode and relfilenode are not preserved just because there was
>> > no strong reason to do so by now.
>>
>> Maybe you want to propose an independent patch making that change?
> I think of a separate diff in the encryption patch series. As the encryption
> is the only reason for this enhancement, I'm not sure if it deserves a
> separate CF entry. (Although it might be considered refactoring because
> eventually pg_upgrade won't need to handle the different relnodes, and thus it
> might become a little bit simpler.)
--
Kind regards,
Pavlo mailto:pavlo(dot)golub(at)cybertec(dot)at
From | Date | Subject | |
---|---|---|---|
Next Message | Kyotaro Horiguchi | 2019-06-06 11:06:12 | pg_checksums has an untranslatable string. |
Previous Message | Horiguchi Kyotaro | 2019-06-06 09:55:14 | pg_checksums has an untranslatable string. |