| From: | Craig Ringer <craig(dot)ringer(at)enterprisedb(dot)com> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | Masahiko Sawada <masahiko(dot)sawada(at)2ndquadrant(dot)com>, Fabien COELHO <coelho(at)cri(dot)ensmp(dot)fr>, Cary Huang <cary(dot)huang(at)highgo(dot)ca>, Ahsan Hadi <ahsan(dot)hadi(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "Moon, Insung" <tsukiwamoon(dot)pgsql(at)gmail(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Sehrope Sarkuni <sehrope(at)jackdb(dot)com>, cary huang <hcary328(at)gmail(dot)com>, Ibrar Ahmed <ibrar(dot)ahmad(at)gmail(dot)com>, Joe Conway <mail(at)joeconway(dot)com> |
| Subject: | Re: Internal key management system |
| Date: | 2020-10-27 14:02:53 |
| Message-ID: | CAGRY4nxotdT48u_i0WZ9YcfYsA6Zug6-4bUpw0Npy5hhWmTuwg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, 27 Oct 2020, 19:15 Bruce Momjian, <bruce(at)momjian(dot)us> wrote:
> We could implement a 'command:' prefix now, and maybe
> a 'pass:' one, and allow other methods like 'pkcs11' later.
>
We don't need to do anything except provide a way to tell OpenSSL where to
get the KEK from, for situations where having Pg generate it internally
undesirable.
I proposed a simple GUC that we could supply to OpenSSL as a key path
because it's simple. It's definitely not best.
In my prior mail I outlined what I think is a better way. Abstract key key
initialisation - passphrase fetching KEK/HMAC loading and all of it -
behind a pluggable interface. Looking at the patch, it's mostly there
already. We just need a way to hook the key loading and setup so it can be
overridden to use whatever method is required. Then KEK operations to
encrypt and decrypt the heap and WAL keys happen via that abstraction.
That way Pg does not have to care about the details of hardware key
management, PKCS#11 or OpenSSL engines, etc.
A little thought is needed to make key rotation work well. Especially when
you want to switch from cluster passphrase to a plugin that supports use of
a HVM escrowed key, or vice versa.
But most of what's needed looks like it's there already. It's just down to
making sure the key loading and initialisation is overrideable.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Fabrízio de Royes Mello | 2020-10-27 14:06:22 | Re: Add important info about ANALYZE after create Functional Index |
| Previous Message | Pavel Biryukov | 2020-10-27 13:55:17 | Re: posgres 12 bug (partitioned table) |