Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS)
От | Tomas Vondra |
---|---|
Тема | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) |
Дата | |
Msg-id | 20190710143220.uflxq7hjt2moeuhi@development обсуждение исходный текст |
Ответ на | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS) (Masahiko Sawada <sawada.mshk@gmail.com>) |
Список | pgsql-hackers |
On Wed, Jul 10, 2019 at 03:38:54PM +0900, Masahiko Sawada wrote: >On Tue, Jul 9, 2019 at 9:01 PM Joe Conway <mail@joeconway.com> wrote: >> >> On 7/9/19 6:07 AM, Peter Eisentraut wrote: >> > On 2019-07-08 18:09, Joe Conway wrote: >> >> In my mind, and in practice to a >> >> large extent, a postgres tablespace == a unique mount point. >> > >> > But a critical difference is that in file systems, a separate mount >> > point has its own journal. >> >> While it would be ideal to have separate WAL, and even separate shared >> buffer pools, per tablespace, I think that is too much complexity for >> the first implementation and we could have a single separate key for all >> WAL for now. > >If we encrypt different tables with different keys I think we need to >encrypt WAL with the same keys as we used for tables, as per >discussion so far. And we would need to encrypt each WAL records, not >whole WAL 8k pages. > I don't think we actually need that - we need to ensure that users don't have access to the key used to encrypt WAL. This is very much a question of the threat model. If we see TDE as a data-at-rest solution, then I think it's fine to have a separate keyring with such keys, and only allow access to system processes. If our thread model includes cases where people can read memory (does not matter if it's because of a vulnerability, privilege escalation or just allowing the people to load an extension with custom C function), then I think we've already lost. Those people will be able to read the keys anyway, no matter how many keys are used to encrypt the WAL. We may need to change how WAL writing works, so that individual backends don't really write into the WAL buffers directly, and intead hand-over the data to a separate process (with access to the key). We already have the walwriter, but IIRC it may not be running and we consider that to be OK. Or maybe we could have "encrypter" process that does just that. That's surely non-trivial work, but it seems like much less work compared to reworking the WAL format to allow WAL to be encrypted with different keys. At least for v0 that should be OK. regards -- Tomas Vondra http://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
В списке pgsql-hackers по дате отправления: