Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS)
От | Tomas Vondra |
---|---|
Тема | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) |
Дата | |
Msg-id | 20190709212741.pveotxpbhwvexkfn@development обсуждение исходный текст |
Ответ на | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) (Alvaro Herrera <alvherre@2ndquadrant.com>) |
Ответы |
Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS)
Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) |
Список | pgsql-hackers |
On Tue, Jul 09, 2019 at 05:06:45PM -0400, Alvaro Herrera wrote: >On 2019-Jul-09, Joe Conway wrote: > >> > Ot you could just encrypt them with a different key, and you would not >> > need to make database OID part of the nonce. >> >> Yeah that was pretty much exactly what I was trying to say above ;-) > >So you need to decrypt each file and encrypt again when doing CREATE >DATABASE? > The question is whether we actually need to do that? Do we change OIDs of relations when creating the database? If not, we don't need to re-encrypt because having copies of the same block encrypted with the same nonce is not an issue (just like copying encrypted files is not an issue). Of course, we may need a CREATE DATABASE option that would force re-encryption with a different key, but it's not necessary because of nonces or whatnot. regards -- Tomas Vondra http://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
В списке pgsql-hackers по дате отправления: