Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pFKap-0004qr-7I for pgsql-hackers@arkaria.postgresql.org; Tue, 10 Jan 2023 19:47:31 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1pFKan-0004LK-VL for pgsql-hackers@arkaria.postgresql.org; Tue, 10 Jan 2023 19:47:29 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pFKan-0004LB-9l for pgsql-hackers@lists.postgresql.org; Tue, 10 Jan 2023 19:47:29 +0000 Received: from mail-pf1-x433.google.com ([2607:f8b0:4864:20::433]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1pFKaj-0002lA-6J for pgsql-hackers@postgresql.org; Tue, 10 Jan 2023 19:47:28 +0000 Received: by mail-pf1-x433.google.com with SMTP id x4so5542181pfj.1 for ; Tue, 10 Jan 2023 11:47:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=usl1ZcpQ4lIwBic5FggEQ4YV6G43LBCqtjKBeZ6SSl4=; b=KQHhkoT7/EN7Ptpk1QFSiVP8d4/IA38E/GBALnjfN5kG+cyu/tS4LDQ7FA2GXW0wNp f0URP/Yrz3jzDVvt+LbJTlLUU99S0VCItMjqOPrEnew3raajapdPYV4y/KhUtzIEZRVU I6hAVn+3tHLrMy+P1/Pj8BBuOYhhYJg84i/jcn+Tfd5Dde2BOkq4u9XdByPs9EC+znsn tptfnAkbzuKZPUw+K8FwiSNfRwXNJX3ozPxSBPB4kdeYaUoWriQNKBDtJUXcU3QZgTMg Lc1me5OP+XgFE8DMFTXEwojSBQVrqe+qKk0ut5NlffogaouD5azUlVyuJ/geqCRvRPnC 9akA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=usl1ZcpQ4lIwBic5FggEQ4YV6G43LBCqtjKBeZ6SSl4=; b=iQ3HXV5d5GNvwvbw0BVQc4W9YQM1m89DVG3KmG1yXSM37g3MRHq0RRtFycYASoSAAv +zXlkBgViSxc9AGDRXYazwAI695ASdlTVLoi8dmbPsOc0scGehem1l2zj1PywQmM5twK ddVKRVbjWQNG2+leS5X+9xMAzX0zWw/ELJVFk6EXnOZ3fU98RuqGYuPdM7p/AqtoCNiy Es5tyi6smMTz+Nc+uxZMLuYcY06vmRK/ZpUvMSTC+uBohmNGMkVmAsbuzGgW0xghVdC/ 1TDKxNAT8sFoq7CZ0PSZM6QkYsAbigScSIuOvlxeFI3PCRZu31V/EwWPUTTb69570IdK Zxfg== X-Gm-Message-State: AFqh2kozuWGFivcjO4ic8MkfTqRxRtNxS299brKCP7fcTjD3Up/VY8Sn lPeIUqxJMbfE+JRtiuvG6J9Tqk2kvJJB4h3+lAttzaxD9DrGSGPZOoAzhC66SiDdxcb8bGZBIKk vHMptRydavGfKn4znAC+ULm0VLtbitcNRvC9/AEMCmwAZbelEfRSVugTVlnDOJuBlhbRQYYmPy9 JVHqlL2iwiOReDcipDDmw5gkwQyNUnESg9iOSylEggOyftqWtC8cUsc7am3MtqmSSgPTxSqK98m Urm2cOElaL8Lrcj8BD+BYGyOfhYOmI5or9M X-Google-Smtp-Source: AMrXdXsndEp3qs0y4EXl9kSEJKdLgevkJnVNbccthbXHiGoamudWtWkCd6CgM3t3Q6HUMnlFLYNqcw== X-Received: by 2002:a05:6a00:72a:b0:57d:56f1:6ae7 with SMTP id 10-20020a056a00072a00b0057d56f16ae7mr59297362pfm.33.1673380042915; Tue, 10 Jan 2023 11:47:22 -0800 (PST) Received: from smtpclient.apple (24-113-193-150.wavecable.com. [24.113.193.150]) by smtp.gmail.com with ESMTPSA id p6-20020aa79e86000000b0056b4c5dde61sm8717595pfq.98.2023.01.10.11.47.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Jan 2023 11:47:22 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.300.101.1.3\)) Subject: Re: Transparent column encryption From: Mark Dilger In-Reply-To: <39414634-723D-43E4-9EC6-7E955201733C@enterprisedb.com> Date: Tue, 10 Jan 2023 11:47:11 -0800 Cc: pgsql-hackers Content-Transfer-Encoding: quoted-printable Message-Id: <61E7BB91-45B2-48AF-B52F-F114092A06BE@enterprisedb.com> References: <89157929-c2b6-817b-6025-8e4b2d89d88f@enterprisedb.com> <48a9f2c2-4a57-27d8-7c53-16a23a01014e@enterprisedb.com> <79f08a39-a7da-5157-cef4-378fb60c18f8@enterprisedb.com> <258c5064-437e-f41e-7537-5e8c343c33cc@enterprisedb.com> <6bd99fea-3298-854d-d37f-554151342f36@enterprisedb.com> <963aa100-7e78-3463-0645-700eaaa325f2@enterprisedb.com> <06830254-6d87-86b2-0280-bf2eee7736a5@enterprisedb.com> <75f394fa-f539-1875-079c-c654deceed41@enterprisedb.com> <8bcedb49-1496-0755-bd24-1cbabf30ec84@enterprisedb.com> <39414634-723D-43E4-9EC6-7E955201733C@enterprisedb.com> To: Peter Eisentraut X-Mailer: Apple Mail (2.3731.300.101.1.3) X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor X-CLOUD-SEC-AV-Sent: true X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On Jan 10, 2023, at 9:26 AM, Mark Dilger = wrote: >=20 > -- Cryptographically connected to the encrypted record > patient_id BIGINT NOT NULL, > patient_ssn CHAR(11), >=20 > -- The encrypted record > patient_record TEXT ENCRYPTED WITH (column_encryption_key =3D cek1, > column_encryption_salt =3D = (patient_id, patient_ssn)), As you mention upthread, tying columns together creates problems for = statements that only operate on a subset of columns. Allowing schema = designers a choice about tying the encrypted column to zero or more = other columns allows them to choose which works best for their security = needs. The example above would make a statement like "UPDATE patient_record SET = patient_record =3D $1 \bind '{some json whatever}'" raise an exception = at the libpq client level, but maybe that's what schema designers wants = it to do. If not, they should omit the column_encryption_salt option in = the create table statement; but if so, they should expect to have to = specify the other columns as part of the update statement, possibly as = part of the where clause, like UPDATE patient_record SET patient_record =3D $1 WHERE patient_id =3D 12345 AND patient_ssn =3D '111-11-1111'=20 \bind '{some json record}' and have the libpq get the salt column values from the where clause = (which may be tricky to implement), or perhaps use some new bind syntax = like UPDATE patient_record SET patient_record =3D ($1:$2,$3) -- new, wonky syntax WHERE patient_id =3D $2 AND patient_ssn =3D $3=20 \bind '{some json record}' 12345 '111-11-1111' which would be error prone, since the sql statement could specify the = ($1:$2,$3) inconsistently with the where clause, or perhaps specify the = "new" salt columns even when not changed, like UPDATE patient_record SET patient_record =3D $1, patient_id =3D 12345, = patient_ssn =3D "111-11-1111" WHERE patient_id =3D 12345 AND patient_ssn =3D "111-11-1111" \bind '{some json record}' which looks kind of nuts at first glance, but is grammatically = consistent with cases where one or both of the patient_id or patient_ssn = are also being changed, like UPDATE patient_record SET patient_record =3D $1, patient_id =3D 98765, = patient_ssn =3D "999-99-9999" WHERE patient_id =3D 12345 AND patient_ssn =3D "111-11-1111" \bind '{some json record}' Or, of course, you can ignore these suggestions or punt them to some = future patch that extends the current work, rather than trying to get it = all done in the first column encryption commit. But it seems useful to = think about what future directions would be, to avoid coding ourselves = into a corner, making such future work harder. =E2=80=94 Mark Dilger EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company