Re: XTS cipher mode for cluster file encryption

From: Michael Banck <michael(dot)banck(at)credativ(dot)de>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: Bruce Momjian <bruce(at)momjian(dot)us>, Andres Freund <andres(at)anarazel(dot)de>, Antonin Houska <ah(at)cybertec(dot)at>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com>, Sasasu <i(at)sasa(dot)su>
Subject: Re: XTS cipher mode for cluster file encryption
Date: 2022-02-01 22:44:41
Message-ID: 61f9b7da.1c69fb81.5b5f4.6eb9@mx.google.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hi,

On Tue, Feb 01, 2022 at 01:07:36PM -0500, Stephen Frost wrote:
> On Tue, Feb 1, 2022 at 12:50 Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> > On Tue, Feb 1, 2022 at 07:45:06AM +0100, Antonin Houska wrote:
> > > > With pg_upgrade modified to preserve the relfilenode, tablespace
> > > > oid, and database oid, we are now closer to implementing cluster
> > > > file encryption using XTS. I think we have a few steps left:
> > > >
> > > > 1. modify temporary file I/O to use a more centralized API
> > > > 2. modify the existing cluster file encryption patch to use XTS with a
> > > > IV that uses more than the LSN
> > > > 3. add XTS regression test code like CTR
> > > > 4. create WAL encryption code using CTR
> > > >
> > > > If we can do #1 in PG 15 I think I can have #2 ready for PG 16 in July.
> > > > The feature wiki page is:
> > > >
> > > > https://wiki.postgresql.org/wiki/Transparent_Data_Encryption
> > > >
> > > > Do people want to advance this feature forward?
> > >
> > > I confirm that we (Cybertec) do and that we're ready to spend more
> > > time on the community implementation.
> >
> > Well, I sent an email a week ago asking if people want to advance this
> > feature forward, and so far you are the only person to reply, which I
> > think means there isn't enough interest in this feature to advance it.
>
> This confuses me. Clearly there’s plenty of interest, but asking on hackers
> in a deep old sub thread isn’t a terribly good way to judge that. Yet even
> when there is an active positive response, you argue that there isn’t
> enough.

Even more so because not Antonin not only replied as an individual, but
in the name of a whole company developing Postgres in general and TDE in
particular.

Michael

--
Michael Banck
Teamleiter PostgreSQL-Team
Projektleiter
Tel.: +49 2166 9901-171
Email: michael(dot)banck(at)credativ(dot)de

credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Trompeterallee 108, 41189 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Geoff Richardson, Peter Lilley

Unser Umgang mit personenbezogenen Daten unterliegt
folgenden Bestimmungen: https://www.credativ.de/datenschutz

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2022-02-01 23:37:02 Re: Replace uses of deprecated Python module distutils.sysconfig
Previous Message Nathan Bossart 2022-02-01 22:36:40 Re: make MaxBackends available in _PG_init