Greetings,
* Bruce Momjian (bruce@momjian.us) wrote:
> On Wed, Oct 6, 2021 at 03:17:00PM -0400, Stephen Frost wrote:
> > * Bruce Momjian (bruce@momjian.us) wrote:
> > > On Tue, Oct 5, 2021 at 04:29:25PM -0400, Bruce Momjian wrote:
> > > > On Tue, Sep 28, 2021 at 12:30:02PM +0300, Ants Aasma wrote:
> > > > > On Mon, 27 Sept 2021 at 23:34, Bruce Momjian <bruce@momjian.us> wrote:
> > > > > We are still working on our TDE patch. Right now the focus is on refactoring
> > > > > temporary file access to make the TDE patch itself smaller. Reconsidering
> > > > > encryption mode choices given concerns expressed is next. Currently a viable
> > > > > option seems to be AES-XTS with LSN added into the IV. XTS doesn't have an
> -----------------------------------------------------
> > > > > issue with predictable IV and isn't totally broken in case of IV reuse.
> > > >
> > > > Uh, yes, AES-XTS has benefits, but since it is a block cipher, previous
> > > > 16-byte blocks affect later blocks, meaning that hint bit changes would
> > > > also affect later blocks. I think this means we would need to write WAL
> > > > full page images for hint bit changes to avoid torn pages. Right now
> > > > hint bit (single bit) changes can be lost without causing torn pages.
> > > > This was another of the advantages of using a stream cipher like CTR.
> > >
> > > Another problem caused by block mode ciphers is that to use the LSN as
> > > part of the nonce, the LSN must not be encrypted, but you then have to
> > > find a 16-byte block in the page that you don't need to encrypt.
> >
> > With AES-XTS, we don't need to use the LSN as part of the nonce though,
> > so I don't think this argument is actually valid..? As discussed
> > previously regarding AES-XTS, the general idea was to use the path to
> > the file and the filename itself plus the block number as the IV, and
> > that works fine for XTS because it's ok to reuse it (unlike with CTR).
>
> Yes, I would prefer we don't use the LSN. I only mentioned it since
> Ants Aasma mentioned LSN use above.
Ohhh, apologies for missing that, makes more sense now.
Thanks!
Stephen