Re: [Proposal] Table-level Transparent Data Encryption (TDE) and KeyManagement Service (KMS)

On Wed, Aug  7, 2019 at 12:31:58AM +0900, Masahiko Sawada wrote:
> Well, so you mean that for example we encrypt only 100 bytes WAL
> record when append 100 bytes WAL records?
> 
> For WAL encryption, if we encrypt the entire 8k WAL page and write the
> entire page, the encrypted-and-written page will contain 100 bytes WAL
> record data and (8192-100) bytes garbage (omitted WAL page header for
> simplify), although WAL data on WAL buffer is still not encrypted
> state. And then if we append 200 bytes again, the
> encrypted-and-written page will contain 300 bytes WAL record data and
> (8192-300)bytes garbage, data on WAL buffer is still not encrypted
> state though.
> 
> In this case I think the first 100 bytes of two 8k WAL pages are the
> same because we encrypted both from the beginning of the page with the
> counter = 0. But the next 200 bytes are different; it's (encrypted)
> garbage in the former case but it's (encrypted) WAL record data in the
> latter case. I think that's a problem.
> 
> On the other hand, if we encrypt 8k WAL page with the different
> counter of nonce after append 200 byes WAL record, the first 100 byte
> (and of course the entire 8k page also) will be different. However
> since it's the same thing doing as changing already-flushed WAL record
> on the disk it's bad.
> 
> Also, if we encrypt only append data instead of entire 8k page, we
> would need to have the information  in somewhere about how much byte
> the WAL page has valid values. Otherwise reading WAL would not work
> fine.

OK, onlist reply.  We are going to encrypt the _entire_ WAL stream as we
write it, which is possible with CTR.  If we write 200 bytes of WAL, we
encrypt/XOR 200 bytes of WAL.  If we write 10k of WAL, and 8k of that is
an 8k page, we encrypt the entire 10k of WAL --- we don't care if there
is an 8k page in there or not.

CTR mode creates a bit stream for the first 16 bytes with nonce of
(segment_number, counter = 0), and the next 16 bytes with 
(segment_number, counter = 1), etc.  We only XOR using the parts of the
bit stream we want to use.  We don't care what the WAL content is --- we
just XOR it with the stream with the matching counter for that part of
the WAL.

It is true we are encrypting the same 8k page in the heap/index page,
and in WAL, with different key/nonce combinations, which I think is
secure.  What is insecure is to encrypt two different pieces of data
with the same key/nonce combination.

-- 
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +