Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS)

hello ...

we are actually planning to move this forward but we did not get around to actually sit down and do it.
the thing is: we would really like to push this forward and we would certainly be happy if the community could reach a consenus on HOW TO implement it and what we really want.
the reason we went for block level encryption in the first place is that it makes key management really comparatively easy.
there is a module in the server (plugin architecture), which arranges the key so that you an start up. that could be a command line prompt, some integration into some fancy key management or whatever means the user wants. it is really really easy. also, TDE has encryption for everything short of the clog and the textual log (which is pretty pointless).
the clog encryption was left out for reliability issues (robert pointed out and issue with torn writes).
so, if we could somehow find a way to implement this which has a chance to actually get committed we are super open to put a lot more effort into that.
of course we are also open to helping hands.

in short: what does the community think? how shall we proceed?

    many thanks,

        hans

On Tue, Jul 3, 2018 at 5:37 PM Moon, Insung <Moon_Insung_i3@lab.ntt.co.jp> wrote:

Dear Tom Lane.

> -----Original Message-----
> From: Tom Lane [mailto:tgl@sss.pgh.pa.us]
> Sent: Monday, June 18, 2018 11:52 PM
> To: Robert Haas
> Cc: Joe Conway; Masahiko Sawada; Moon, Insung; PostgreSQL-development
> Subject: Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS)
>
> Robert Haas <robertmhaas@gmail.com> writes:
> > On Mon, Jun 18, 2018 at 10:12 AM, Joe Conway <mail@joeconway.com> wrote:
> >> Not necessarily. Our pages probably have enough predictable bytes to
> >> aid cryptanalysis, compared to user data in a column which might not
> >> be very predicable.
>
> > Really?  I would guess that the amount of entropy in a page is WAY
> > higher than in an individual column value.
>
> Depending on the specifics of the encryption scheme, having some amount of known (or guessable) plaintext may allow breaking
> the cipher, even if much of the plaintext is not known.  This is cryptology 101, really.
>
> At the same time, having to have a bunch of independently-decipherable short field values is not real secure either, especially
> if they're known to all be encrypted with the same key.  But what you know or can guess about the plaintext in such cases
> would be target-specific, rather than an attack that could be built once and used against any PG database.

Yes. If there is known to guessable data of encrypted data, maybe there is a  possibility of decrypting the encrypted data.

But would it be safe to use an additional encryption mode such as GCM or XFS to solve this problem?
(Do not use the same IV)

Thank you and Best regards.
Moon.


>
>                       regards, tom lane

Hi Moon,

Have you done progress on that patch? I am thinking to work on the project and found that you are already working on it. The last message is almost six months old. I want to check with you that are you still working on that, if yes I can help on that by reviewing the patch etc. If you are not working on that anymore, can you share your done work (if possible)?

--

Ibrar Ahmed

-- 
Hans-Jürgen Schönig
Cybertec Schönig & Schönig GmbH
Gröhrmühlgasse 26
A-2700 Wiener Neustadt
Web: https://www.cybertec-postgresql.com