Re: Proposed patch for key managment

On Wed, Dec  2, 2020 at 04:38:14PM -0500, Bruce Momjian wrote:
> Attached is a patch for key management, which will eventually be part of
> cluster file encryption (CFE), called TDE (Transparent Data Encryption)
> by Oracle.  It is an update of Masahiko Sawada's patch from July 31:
> 
>     https://www.postgresql.org/message-id/CA+fd4k6RJwNvZTro3q2f5HSDd8HgyUc4CuY9U3e6Ran4C6TO4g@mail.gmail.com
> 
> Sawada-san did all the hard work, and I just redirected the patch.  The
> general outline of this CFE feature can be seen here:
> 
>     https://wiki.postgresql.org/wiki/Transparent_Data_Encryption
> 
> The currently planned progression for this feature is to allow secure
> retrieval of key encryption keys (KEK) outside of the database, then use
> those to encrypt data keys that encrypt heap/index/tmpfile files.
...
> If most people approve of this general approach, and the design
> decisions made, I would like to apply this in the next few weeks, but
> this brings complications.  The syntax added by this commit might not
> provide a useful feature until PG 15, so how do we hide it from users. 
> I was thinking of not applying the doc changes (or commenting them out)
> and commenting out the --help output.

I am getting close to applying these patches, probably this week.  The
patches are cumulative:

    https://github.com/postgres/postgres/compare/master...bmomjian:key.diff
    https://github.com/bmomjian/postgres/compare/key...bmomjian:key-alter.diff

I do have a few questions:

    Why is KmgrShmemData a struct, when it only has a single member?  Are
    all shared memory areas structs?
    
    Should pg_altercpass be using fsync's for directory renames?
    
    Can anyone test this on Windows, particularly -R handling?
    
    What testing infrastructure should this have?
    
    There are a few shell script I should include to show how to create
    commands.  Where should they be stored?  /contrib module?
    
    Are people okay with having the feature enabled, but invisible
    since the docs and --help output are missing?  When we enable
    ssl_passphrase_command to prompt from the terminal, some of the
    command-line options will be useful.

    Do people like the command-letter choices?

    I called the alter passphrase utility pg_altercpass.  I could
    have called it pg_clusterpass, but I wanted to highlight it is
    only for changing the passphrase, not for creating them.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EnterpriseDB                             https://enterprisedb.com

  The usefulness of a cup is in its emptiness, Bruce Lee