agora inbox for [email protected]  
help / color / mirror / Atom feed
From: Antonin Houska <[email protected]>
To: Matthias van de Meent <[email protected]>
Cc: Robert Haas <[email protected]>
Cc: Stephen Frost <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Subject: Re: Temporary file access API
Date: Wed, 13 Apr 2022 08:30:28 +0200
Message-ID: <2346.1649831428@antos> (raw)
In-Reply-To: <CAEze2WgK=8fBtY2CcCffqCrux4wKYFEiRVpkoPMMVaRjDq6Cpg@mail.gmail.com>
References: <4987.1644323098@antos>
	<[email protected]>
	<27013.1646738099@antos>
	<CA+TgmobnojZw6mZi0T_61RtUDgsxroYhp+DJU5Yhz6caxUrQgw@mail.gmail.com>
	<3146.1649408068@antos>
	<CA+TgmobQM4Yym3944tFpcaJX4EfYs92Vv4NCY3V0R5BE4RU2rg@mail.gmail.com>
	<2132.1649664364@antos>
	<CAEze2WgK=8fBtY2CcCffqCrux4wKYFEiRVpkoPMMVaRjDq6Cpg@mail.gmail.com>

Matthias van de Meent <[email protected]> wrote:

> On Mon, 11 Apr 2022 at 10:05, Antonin Houska <[email protected]> wrote:
> >
> > There are't really that many kinds of files to encrypt:
> >
> > https://wiki.postgresql.org/wiki/Transparent_Data_Encryption#List_of_the_files_that_contain_user_dat...
> >
> > (And pg_stat/* files should be removed from the list.)
> 
> I was looking at that list of files that contain user data, and
> noticed that all relation forks except the main fork were marked as
> 'does not contain user data'. To me this seems not necessarily true:
> AMs do have access to forks for user data storage as well (without any
> real issues or breaking the abstraction), and the init-fork is
> expected to store user data (specifically in the form of unlogged
> sequences). Shouldn't those forks thus also be encrypted-by-default,
> or should we provide some other method to ensure that non-main forks
> with user data are encrypted?

Thanks. I've updated the wiki page (also included Robert's comments).

-- 
Antonin Houska
Web: https://www.cybertec-postgresql.com






view thread (2+ messages)

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Temporary file access API
  In-Reply-To: <2346.1649831428@antos>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox