Re: Transparent Data Encryption (TDE) and encrypted files

Поиск
Список
Период
Сортировка
От Magnus Hagander
Тема Re: Transparent Data Encryption (TDE) and encrypted files
Дата
Msg-id CABUevEzLvYRbPHu8nk+YyM1fZqAsRkr=P+j9eqAiMssxxikQQg@mail.gmail.com
обсуждение исходный текст
Ответ на Re: Transparent Data Encryption (TDE) and encrypted files  (Tels <nospam-pg-abuse@bloodgate.com>)
Ответы Re: Transparent Data Encryption (TDE) and encrypted files  ("Moon, Insung" <tsukiwamoon.pgsql@gmail.com>)
Re: Transparent Data Encryption (TDE) and encrypted files  (Stephen Frost <sfrost@snowman.net>)
Список pgsql-hackers
Дерево обсуждения


On Tue, Oct 1, 2019 at 9:33 AM Tels <nospam-pg-abuse@bloodgate.com> wrote:
Moin,

On 2019-09-30 23:26, Bruce Momjian wrote:
> For full-cluster Transparent Data Encryption (TDE), the current plan is
> to encrypt all heap and index files, WAL, and all pgsql_tmp (work_mem
> overflow).  The plan is:
>
>       https://wiki.postgresql.org/wiki/Transparent_Data_Encryption#TODO_for_Full-Cluster_Encryption
>
> We don't see much value to encrypting vm, fsm, pg_xact, pg_multixact,
> or
> other files.  Is that correct?  Do any other PGDATA files contain user
> data?

IMHO the general rule in crypto is: encrypt everything, or don't bother.

If you don't encrypt some things, somebody is going to find loopholes
and sidechannels
and partial-plaintext attacks. Just a silly example: If you trick the DB
into putting only one row per page,
any "bit-per-page" map suddenly reveals information about a single
encrypted row that it shouldn't reveal.

Many people with a lot of free time on their hands will sit around,
drink a nice cup of tea and come up
with all sorts of attacks on these things that you didn't (and couldn't)
anticipate now.

So IMHO it would be much better to err on the side of caution and
encrypt everything possible.

+1.

Unless we are *absolutely* certain, I bet someone will be able to find a side-channel that somehow leaks some data or data-about-data, if we don't encrypt everything. If nothing else, you can get use patterns out of it, and you can make a lot from that. (E.g. by whether transactions are using multixacts or not you can potentially determine which transaction they are, if you know what type of transactions are being issued by the application. In the simplest case, there might be a single pattern where multixacts end up actually being used, and in that case being able to see the multixact data tells you a lot about the system).

As for other things -- by default, we store the log files in text format in the data directory. That contains *loads* of sensitive data in a lot of cases. Will those also be encrypted? 

--

В списке pgsql-hackers по дате отправления:

Предыдущее
От: "Moon, Insung"
Дата:
Сообщение: Re: Transparent Data Encryption (TDE) and encrypted files
Следующее
От: Sakshi Munjal
Дата:
Сообщение: About Google Code-in