Re: Proposed patch for key managment
| От | Bruce Momjian |
|---|---|
| Тема | Re: Proposed patch for key managment |
| Дата | |
| Msg-id | 20201215163441.GE14596@momjian.us обсуждение исходный текст |
| Ответ на | Re: Proposed patch for key managment (Bruce Momjian <bruce@momjian.us>) |
| Список | pgsql-hackers |
On Mon, Dec 14, 2020 at 11:16:18PM -0500, Bruce Momjian wrote: > > 1. Previously, we added a variable bootstrap_keys_wrap that is used for > > encryption during initdb. However, since we save the "wrapped" key, we need to > > use a global KEK that can be accessed in boot mode to unwrap it before use... I > > don't know if that's good. To make it simple, I modified the > > bootstrap_keys_wrap to store the "unwrapped" key so that the encryption > > function can get it correctly. (The variable name should be changed > > accordingly). > > I see what you are saying. We store the wrapped in bootstrap mode, but > the unwrapped in normal mode. There is also the case of when we copy > the keys from an old cluster. I will work on a patch tomorrow and > report back here. I had not considered that we need the date keys available in bootstrap mode, even if we copied them from another cluster during pg_upgrade. I have updated the diff URLs and attaching a patch showing the changes I made. Basically, I had to separate BootStrapKmgr() into sections: 1. copy or create an empty live key directory 2. get the pass phrase 3. populate the live key directory if we didn't copy it 4. decrypt they keys into a file-scoped variable Thanks for showing me this missing feature. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EnterpriseDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee
Вложения
В списке pgsql-hackers по дате отправления: