Re: Proposed patch for key managment
| От | Bruce Momjian |
|---|---|
| Тема | Re: Proposed patch for key managment |
| Дата | |
| Msg-id | 20201216221812.GE4527@momjian.us обсуждение исходный текст |
| Ответ на | Re: Proposed patch for key managment (Bruce Momjian <bruce@momjian.us>) |
| Список | pgsql-hackers |
On Wed, Dec 16, 2020 at 01:42:57PM -0500, Bruce Momjian wrote: > On Wed, Dec 16, 2020 at 06:07:26PM +0000, Alastair Turner wrote: > > Hi Bruce > > > > On Wed, 16 Dec 2020 at 00:12, Bruce Momjian <bruce@momjian.us> wrote: > > > > > ... > > > > > > The second approach is to make a new API for what you want.... > > > > I am trying to motivate for an alternate API. Specifically, an API > > which allows any potential adopter of Postgres and Cluster File > > Encryption to adopt them without having to accept any particular > > approach to key management, key derivation, wrapping, validation, etc. > > A passphrase key-wrapper with validation will probably be very useful > > to a lot of people, but making it mandatory and requiring twists and > > turns to integrate with already-established security infrastructure > > sounds like a barrier to adoption. > > Attached is a script that uses the AWS Secrets Manager, and it does key > rotation with the new pg_altercpass tool too, just like all the other > methods. Attached is an improved script that does not pass the secret on the command line. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EnterpriseDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee
Вложения
В списке pgsql-hackers по дате отправления: