On Tue, Jun 13, 2017 at 12:23 PM, Stephen Frost <sfrost@snowman.net> wrote:
> Key management is an entirely independent discussion from this and the
> proposal from Ants, as I understand it, is that the key would *not* be
> in the database but could be anywhere that a shell command could get it
> from, including possibly a HSM (hardware device).
Yes. I think the right way to implement this is something like:
1. Have a GUC that runs a shell command to get the key.
2. If the command successfully gets the key, it prints it to stdout
and returns 0.
3. If it doesn't get successfully get the key, it returns 1. The
database can retry or give up, whatever we decide to do.
That way, if the user wants to store the key in an unencrypted text
file, they can set the encryption_key_command = 'cat /not/very/secure'
and call it a day. If they want to prompt the user on the console or
request the key from an HSM or get it in any other way, they just have
to write the appropriate shell script. We just provide mechanism, not
policy, and the user can adopt any policy they like, from an extremely
insecure policy to one suitable for Fort Knox.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company