Re: Value of Transparent Data Encryption (TDE)
| От | Tomas Vondra |
|---|---|
| Тема | Re: Value of Transparent Data Encryption (TDE) |
| Дата | |
| Msg-id | 20191003150846.6s5qzidltro6trwh@development обсуждение исходный текст |
| Ответ на | Re: Value of Transparent Data Encryption (TDE) (Stephen Frost <sfrost@snowman.net>) |
| Список | pgsql-hackers |
On Thu, Oct 03, 2019 at 10:43:21AM -0400, Stephen Frost wrote: >Greetings, > >* Robert Haas (robertmhaas@gmail.com) wrote: >> On Tue, Oct 1, 2019 at 12:19 PM Bruce Momjian <bruce@momjian.us> wrote: >> > Just to give more detail. Initially, there was a desire to store keys >> > in only one place, either in the file system or in database tables. >> > However, it became clear that the needs of booting the server and crash >> > recovery required file system keys, and per-user/db keys were best done >> > at the SQL level, so that indexing can be used, and logical dumps >> > contain the locked keys. SQL-level storage allows databases to be >> > completely independent of other databases in terms of key storage and >> > usage. >> >> Wait, we're going to store the encryption keys with the database? It >> seems like you're debating whether to store your front door keys under >> the doormat or in a fake rock by the side of the path, when what you >> really ought to be doing is keeping them physically separated from the >> house, like in your pocket or your purse. > >This isn't news and shouldn't be shocking- databases which support TDE >all have a vaulting system for managing the keys and, yes, that's stored >with the database. > Right. The important bit here is that the vault is encrypted, and has to be unlocked using a passphrase (or something like that) when starting the database. So it's not really as silly as a key under the doormat. >> It seems to me that the right design is that there's a configurable >> mechanism for PostgreSQL to request keys from someplace outside the >> database, and that other place is responsible for storing the keys >> securely and not losing them. Probably, it's a key-server of some kind >> running on another machine, but if you really want you can do >> something insecure instead, like getting them from the local >> filesystem. > >I support the option to have an external vault that's used, but I don't >believe that should be a requirement and I don't think that removes the >need to have a vaulting system of our own, so we can have a stand-alone >TDE solution. > Right. If anything, we need a local vault that we could use for testing. In other cases it might be a simple wrapper for a vault/keyring provided by the operating system (if it's good enough for gpg keys ...). >> I admit I haven't been following the threads on this topic, but this >> just seems like a really strange idea. > >It's not new and it's how TDE works in all of the other database systems >which support it. > Yep. regards -- Tomas Vondra http://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
В списке pgsql-hackers по дате отправления: