Re: storing an explicit nonce

On Thu, Oct 7, 2021 at 11:45 AM Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> I continue to be concerned that a page format change will decrease the
> desirability of this feature by making migration complex and increasing
> its code complexity. I am unclear if it is necessary.
>
> I think the big question is whether XTS with db/relfilenode/blocknumber
> is sufficient as an IV without a nonce that changes for updates.

Those are fair concerns. I think I agree with everything you say here.

There was some discussion earlier (not sure if it was on this thread)
about integrity verification. And I don't think that there's any way
we can do that without storing some kind of integrity verifier in each
page. And if we're doing that anyway to support that feature, then
there's no problem if it also includes the IV. I had read Stephen's
previous comments to indicate that he thought we should go this way,
and it sounded cool to me, too. However, it does make migrations
somewhat more complex, because you would then have to actually
dump-and-reload, rather than, perhaps, just encrypting all the
existing pages while the cluster was offline. Personally, I'm not that
fussed about that problem, but I'm also rarely the one who has to help
people migrate to new releases, so I may not be as sympathetic to
those problems there as I should be.

If we don't care about the integrity verification features, then as
you say the next question is whether it's acceptable to use a
predictable nonce that is computing from values that can be known
without looking at the block contents. If so, we can forget about
$SUBJECT and save ourselves some engineering work. If not, then I
think we need to do $SUBJECT anyway. And so far I am not really
convinced that we know which of those two things is the case. I don't,
anyway.

--
Robert Haas
EDB: http://www.enterprisedb.com