From: | Jose Luis Tallon <jltallon(at)adv-solutions(dot)net> |
---|---|
To: | Cary Huang <cary(dot)huang(at)highgo(dot)ca>, Masahiko Sawada <masahiko(dot)sawada(at)2ndquadrant(dot)com> |
Cc: | Fabien COELHO <coelho(at)cri(dot)ensmp(dot)fr>, Bruce Momjian <bruce(at)momjian(dot)us>, Ahsan Hadi <ahsan(dot)hadi(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "Moon, Insung" <tsukiwamoon(dot)pgsql(at)gmail(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Sehrope Sarkuni <sehrope(at)jackdb(dot)com>, cary huang <hcary328(at)gmail(dot)com>, Ibrar Ahmed <ibrar(dot)ahmad(at)gmail(dot)com>, Joe Conway <mail(at)joeconway(dot)com> |
Subject: | Re: Internal key management system |
Date: | 2020-06-18 18:21:56 |
Message-ID: | 4a73c734-668e-257a-1c6e-21744e5df055@adv-solutions.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 18/6/20 19:41, Cary Huang wrote:
> Hi all
>
> Having read through the discussion, I have some comments and
> suggestions that I would like to share.
>
> I think it is still quite early to even talk about external key
> management system even if it is running on the same host as PG. This
> is most likely achieved as an extension that can provide communication
> to external key server and it would be a separate project/discussion.
> I think the focus now is to finalize on the internal KMS design, and
> we can discuss about how to migrate internally managed keys to the
> external when the time is right.
As long as there exists a clean interface, and the "default" (internal)
backend is a provider of said functionality, it'll be fine.
Given that having different KMS within a single instance (e.g. per
database) is quite unlikely, I suggest just exposing hook-like
function-pointer variables and be done with it. Requiring a preloaded
library for this purpose doesn't seem too restrictive ---at least at
this stage--- and can be very easily evolved in the future ---
super-simple API which receives a struct made of function pointers, plus
another function to reset it to "internal defaults" and that's it.
>
> Key management system is generally built to manage the life cycle of
> cryptographic keys, so our KMS in my opinion needs to be built with
> key life cycle in mind such as:
>
> * Key generation
> * key protection
> * key storage
> * key rotation
> * key rewrap
> * key disable/enable
> * key destroy
Add the support functions for your suggested "key information"
functionality, and that's a very rough first draft of the API ...
> KMS should not perform the above life cycle management by itself
> automatically or hardcoded, instead it should expose some interfaces
> to the end user or even a backend process like TDE to trigger the above.
> The only key KMS should manage by itself is the KEK, which is derived
> from cluster passphrase value. This is fine in my opinion. This KEK
> should exist only within KMS to perform key protection (by wrapping)
> and key storage (save as file).
Asking for the "cluster password" is something better left optional /
made easily overrideable ... or we risk thousands of clusters suddenly
not working after a reboot.... :S
Just my .02€
Thanks,
J.L.
From | Date | Subject | |
---|---|---|---|
Next Message | Robert Haas | 2020-06-18 18:30:15 | Re: [patch] demote |
Previous Message | Robert Haas | 2020-06-18 18:15:41 | Re: More tzdb fun: POSIXRULES is being deprecated upstream |