Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1meIxV-000757-2h for pgsql-hackers@arkaria.postgresql.org; Sat, 23 Oct 2021 15:29:21 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1meIxS-0004fS-Vp for pgsql-hackers@arkaria.postgresql.org; Sat, 23 Oct 2021 15:29:18 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1meIxS-0004fJ-NL for pgsql-hackers@lists.postgresql.org; Sat, 23 Oct 2021 15:29:18 +0000 Received: from momjian.us ([72.94.173.45]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1meIxL-0004ii-GY for pgsql-hackers@postgresql.org; Sat, 23 Oct 2021 15:29:18 +0000 Received: from bruce by momjian.us with local (Exim 4.92) (envelope-from ) id 1meIxF-0005R2-1B; Sat, 23 Oct 2021 11:29:05 -0400 Date: Sat, 23 Oct 2021 11:29:05 -0400 From: Bruce Momjian To: Stephen Frost Cc: Tomas Vondra , Robert Haas , Andres Freund , Sasasu , PostgreSQL-development Subject: Re: XTS cipher mode for cluster file encryption Message-ID: <20211023152905.GA5989@momjian.us> References: <57935ba1-a08e-480f-2e27-d8bbfd9bf261@enterprisedb.com> <871a349d-fcf6-d58f-1c77-e8510afaf043@enterprisedb.com> <20211019184425.GT20998@tamriel.snowman.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20211019184425.GT20998@tamriel.snowman.net> User-Agent: Mutt/1.10.1 (2018-07-13) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Tue, Oct 19, 2021 at 02:44:26PM -0400, Stephen Frost wrote: > Another threat model to consider is if the attacker has read-only access > to the data directory through, say, unix group read privileges or maybe > the ability to monitor the traffic on the SAN, or the ability to > read-only mount the LUN on to another system. This might be obtained by > attacking a backup process where the system was configured to run > physical backups using an unprivileged OS user who only has group read > access to the cluster (and the necessary but non-superuser privleges in > the database system to start/stop the backup), or various potential > attacks at the storage layer. This is similar to the "data at rest" > case above in that XTS works well to address this, but because the > attacker would have ongoing access (rather than just one-time, such as > in the first case), information such as which blocks are being changed > inside of a given 8k page might be able to be determined and that could > be useful information, though a point here: they would already be able > to see clearly which 8k pages are being changed and which aren't, and > there's not really any way for us to prevent that reasonably. As such, > I'd argue that using XTS is reasonable and we can mitigate some of this > concern by using the LSN in the tweak instead of just the block number > as the 'plain64' option in dmcrypt does. That doing so would mean that That is an excellent point, and something we should mention in our documentation --- the fact that a change of 8k granularity will be visible, and in certain specified cases, 16-byte change granularity will also be visible. -- Bruce Momjian https://momjian.us EDB https://enterprisedb.com If only the physical world exists, free will is an illusion.