Re: Proposed patch for key managment

On Mon, Dec  7, 2020 at 09:30:03AM +0900, Masahiko Sawada wrote:
> Thank you for updating the patch!
> 
> I think we need explicit_bzero() also in freeing the keywrap context.

pg_cryptohash_free() already has this:

    explicit_bzero(state, sizeof(pg_cryptohash_state));
    explicit_bzero(ctx, sizeof(pg_cryptohash_ctx));

Do we need more?

> BTW, when we need -R option pg_ctl command to start the server, how
> can we start it in the single-user mode?

I added code for that, but I hadn't tested it yet.  Now that I tried it,
I realized that it is awkward to supply a file descriptor number (that
will be closed) from the command-line, so I added code and docs to allow
-1 to duplicate standard error, and it worked:

    $ postgres --single -R -1 -D /u/pg/data
    
    Enter password:
    PostgreSQL stand-alone backend 14devel
    backend> select 100;
             1: ?column?    (typeid = 23, len = 4, typmod = -1, byval = t)
            ----
             1: ?column? = "100"    (typeid = 23, len = 4, typmod = -1, byval = t)
            ----

Updated patch at the same URL:

    https://github.com/postgres/postgres/compare/master...bmomjian:key.diff

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EnterpriseDB                             https://enterprisedb.com

  The usefulness of a cup is in its emptiness, Bruce Lee