Hi,
Here are a few more things I noticed :
If a CEK is encrypted with cmk1 and cmk2, but cmk1 isn't found on the
client,the following error is printed twice for the very first SELECT
statement:
could not open file "/path/to/cmk1.pem": No such file or directory
...and nothing is returned. The next queries in the same session would
work correctly (cmk2 is used for the decryption of the CEK). An INSERT
statement si handled properly, though : one (and only one) error
message, and line actually inserted in all cases).
For example :
postgres=# SELECT * FROM customers ;
could not open file "/path/to/cmk1.pem": No such file or directory
could not open file "/path/to/cmk1.pem": No such file or directory
postgres=# SELECT * FROM customers ;
id | name | creditcard_num
----+-------+-----------------
1 | toto | 546843351354245
2 | babar | 546843351354245
<close and open new psql session>
postgres=# INSERT INTO customers (id, name, creditcard_num) VALUES
($1, $2, $3) \gencr '3' 'toto' '546888351354245';
could not open file "/path/to/cmk1.pem": No such file or directory
INSERT 0 1
postgres=# SELECT * FROM customers ;
id | name | creditcard_num
----+-------+-----------------
1 | toto | 546843351354245
2 | babar | 546843351354245
3 | toto | 546888351354245
From the documentation of CREATE COLUMN MASTER KEY, it looks like the
REALM is optional, but both
CREATE COLUMN MASTER KEY cmk1;
and
CREATE COLUMN MASTER KEY cmk1 WITH ();
returns a syntax error.
About AEAD, the documentation says :
> The “associated data” in these algorithms consists of 4 bytes: The
ASCII letters P and G (byte values 80 and 71), followed by the algorithm
ID as a 16-bit unsigned integer in network byte order.
My guess is that it serves no real purpose, did I misunderstand ?