Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS)

From: Sehrope Sarkuni <sehrope(at)jackdb(dot)com>
To: Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>
Cc: Bruce Momjian <bruce(at)momjian(dot)us>, Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com>, Joe Conway <mail(at)joeconway(dot)com>, Antonin Houska <ah(at)cybertec(dot)at>, Stephen Frost <sfrost(at)snowman(dot)net>, Masahiko Sawada <sawada(dot)mshk(at)gmail(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com>, "Moon, Insung" <Moon_Insung_i3(at)lab(dot)ntt(dot)co(dot)jp>, Ibrar Ahmed <ibrar(dot)ahmad(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS)
Date: 2019-07-29 22:11:14
Message-ID: CAH7T-arUUP5cPZBx1w==sEJ_eiWMcx=Meu9UHvrAF1PjyNzJ-g@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Mon, Jul 29, 2019 at 4:15 PM Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>
wrote:

> On 2019-Jul-27, Sehrope Sarkuni wrote:
>
> > Given the non-cryptographic nature of CRC and its 16-bit size, I'd
> > round down the malicious tamper detection it provides to zero. At best
> > it catches random disk errors so might as well keep it in plain text
> > and checkable offline.
>
> But what attack are we protecting against? We fear that somebody will
> steal a disk or a backup. We don't fear that they will *write* data.
> The CRC is there to protect against data corruption. So whether or not
> the CRC protects against malicious tampering is beside the point.
>

That was in response to using an encrypted CRC for tamper detection. I
agree that it does not provide meaningful protection so there is no point
in adding complexity to use it for that.

I agree it's better to leave the CRC as-is for detecting corruption which
also has the advantage of playing nice with existing checksum tooling.

> If we were trying to protect against an attacker having access to
> *writing* data in the production server, this encryption scheme is
> useless: they could just as well read unencrypted data from shared
> buffers anyway.
>

The attack situation is someone being able to modify pages at the storage
tier. They cannot necessarily read server memory or the encryption key, but
they could make changes to existing data or an existing backup that would
be subsequently read by the server.

Dealing with that is way out of scope but similar to the replica promotion
I think it should be kept track of and documented.

> I think trying to protect against malicious data tampering is a second
> step *after* this one is done.
>

+1

Regards,
-- Sehrope Sarkuni
Founder & CEO | JackDB, Inc. | https://www.jackdb.com/

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Alexander Korotkov 2019-07-29 22:25:25 Re: Define jsonpath functions as stable
Previous Message Tom Lane 2019-07-29 21:55:14 Re: TopoSort() fix