| From: | Sam Gendler <sgendler(at)ideasculptor(dot)com> |
|---|---|
| To: | Michel Pelletier <pelletier(dot)michel(at)gmail(dot)com> |
| Cc: | Zahir Lalani <ZahirLalani(at)oliver(dot)agency>, "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Application Level Encryption |
| Date: | 2020-07-05 22:23:01 |
| Message-ID: | CAEV0TzDEFMPTngyAex5db41zNd83nzmL3w=qRuJkHtMaJMB_UQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Sun, Jul 5, 2020 at 11:41 AM Michel Pelletier <pelletier(dot)michel(at)gmail(dot)com>
wrote:
>
>
> I'm working on an approach where the decrypted DEK only lives for the
> lifetime of a transaction, this means hitting the kms on every transaction
> that uses keys. It will be slower, but the time the decrypted key stays in
> memory would be minimized.
>
Watch out for KMS api quotas if you go that route. Their docs don't state
what the default quotas are, so you have to go to your quotas page in the
console to find out, but they likely aren't very high and might well be
exceeded by the transaction rate on even a relatively small db instance.
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michel Pelletier | 2020-07-05 22:32:00 | Re: Application Level Encryption |
| Previous Message | Michel Pelletier | 2020-07-05 18:40:11 | Re: Application Level Encryption |