On Thu, May 27, 2021 at 08:34:51AM -0700, Andres Freund wrote:
> Hi,
>
> On Thu, May 27, 2021, at 08:10, Bruce Momjian wrote:
> > On Wed, May 26, 2021 at 05:11:24PM -0700, Andres Freund wrote:
> > > Hi,
> > >
> > > On 2021-05-25 17:12:05 -0400, Bruce Momjian wrote:
> > > > If we used a block cipher instead of a streaming one (CTR), this might
> > > > not work because the earlier blocks can be based in the output of
> > > > later blocks.
> > >
> > > What made us choose CTR for WAL & data file encryption? I checked the
> > > README in the patchset and the wiki page, and neither seem to discuss
> > > that.
> > >
> > > The dangers around nonce reuse, the space overhead of storing the nonce,
> > > the fact that single bit changes in the encrypted data don't propagate
> > > seem not great? Why aren't we using something like XTS? It has obvious
> > > issues as wel, but CTR's weaknesses seem at least as great. And if we
> > > want a MAC, then we don't want CTR either.
> >
> > We chose CTR because it was fast, and we could use the same method for
> > WAL, which needs a streaming, not block, cipher.
>
> The WAL is block oriented too.
Well, AES block mode only does 16-byte blocks, as far as I know, and I
assume WAL is more granular than that. Also, you need to know the bytes
_before_ the WAL do write a new 16-byte block, so it seems overly
complex for our usage too.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
If only the physical world exists, free will is an illusion.