Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pMqeJ-00042Q-2t for pgsql-hackers@arkaria.postgresql.org; Tue, 31 Jan 2023 13:26:11 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1pMqeH-0000x2-Gv for pgsql-hackers@arkaria.postgresql.org; Tue, 31 Jan 2023 13:26:09 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pMqeG-0000vq-HM for pgsql-hackers@lists.postgresql.org; Tue, 31 Jan 2023 13:26:09 +0000 Received: from wnew4-smtp.messagingengine.com ([64.147.123.18]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pMqeA-0007EA-8z for pgsql-hackers@postgresql.org; Tue, 31 Jan 2023 13:26:08 +0000 Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailnew.west.internal (Postfix) with ESMTP id 914982B066F4; Tue, 31 Jan 2023 08:25:58 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Tue, 31 Jan 2023 08:25:58 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1675171558; x= 1675178758; bh=ge+sDhRHqPo2i2lglCI5dira00uVeTTivWF+cr1LWnk=; b=P 4FruWhKZUO8EN7CKZDD/0GyiSZIPQ64Gl58yOP83DDTRxFZa4LndhGLoL99A9Sr8 eFXWgsaprsRfpdhnkCbpv+MQ+1N4Yswjsb7wkut4UISvKtJc7DRGOEQVoQRynQMI m/UqokjwUoGvyzAdeu6e990DLGL8pV+lCO3lQoC0YvINVrrSP3Jq8B5uDsWICVBP ypVcmHeY3KER8Fav0u7+17wBqAfgFmvrou21mZMK4udES3IHYcJq+x1i/OStN+jf ZG6KKvV+q4ET7mqU31FQWxqzcyzqKybA8Hxk3Fcu75cK0V7Y6wngy+U+ZSXjXjNN 5yDl5eS57mUPnQxCCDXRg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrudefgedghedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepkfffgggfuffvvehfhfgjtgfgsehtjeertddtfeejnecuhfhrohhmpefrvght vghrucfgihhsvghnthhrrghuthcuoehpvghtvghrrdgvihhsvghnthhrrghuthesvghnth gvrhhprhhishgvuggsrdgtohhmqeenucggtffrrghtthgvrhhnpefhledthfefleffveeg uefgffejgfefhedtveevfeethfdtledtjefgjeegheelvdenucffohhmrghinhepmhhitg hrohhsohhfthdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgr ihhlfhhrohhmpehpvghtvghrrdgvihhsvghnthhrrghuthesvghnthgvrhhprhhishgvug gsrdgtohhm X-ME-Proxy: Feedback-ID: i131946ab:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 31 Jan 2023 08:25:57 -0500 (EST) Message-ID: <8a1ccf22-2a86-f002-bbd8-49f56729a5f3@enterprisedb.com> Date: Tue, 31 Jan 2023 14:25:55 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.6.1 Subject: Re: Transparent column encryption Content-Language: en-US To: Jacob Champion Cc: pgsql-hackers References: <89157929-c2b6-817b-6025-8e4b2d89d88f@enterprisedb.com> <48a9f2c2-4a57-27d8-7c53-16a23a01014e@enterprisedb.com> <79f08a39-a7da-5157-cef4-378fb60c18f8@enterprisedb.com> <258c5064-437e-f41e-7537-5e8c343c33cc@enterprisedb.com> <6bd99fea-3298-854d-d37f-554151342f36@enterprisedb.com> <963aa100-7e78-3463-0645-700eaaa325f2@enterprisedb.com> <06830254-6d87-86b2-0280-bf2eee7736a5@enterprisedb.com> <75f394fa-f539-1875-079c-c654deceed41@enterprisedb.com> <8bcedb49-1496-0755-bd24-1cbabf30ec84@enterprisedb.com> <5003d222-5975-38c1-e471-888e642f23aa@timescale.com> <00b0c4f3-0d9f-dcfd-2ba0-eee5109b4963@enterprisedb.com> From: Peter Eisentraut In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 30.01.23 23:30, Jacob Champion wrote: >>> The column encryption algorithm is set per-column -- but isn't it >>> tightly coupled to the CEK, since the key length has to match? From a >>> layperson perspective, using the same key to encrypt the same plaintext >>> under two different algorithms (if they happen to have the same key >>> length) seems like it might be cryptographically risky. Is there a >>> reason I should be encouraged to do that? >> >> Not really. I was also initially confused by this setup, but that's how >> other similar systems are set up, so I thought it would be confusing to >> do it differently. > > Which systems let you mix and match keys and algorithms this way? I'd > like to take a look at them. See here for example: https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver15 >>> With the loss of \gencr it looks like we also lost a potential way to >>> force encryption from within psql. Any plans to add that for v1? >> >> \gencr didn't do that either. We could do it. The libpq API supports >> it. We just need to come up with some syntax for psql. > > Do you think people would rather set encryption for all parameters at > once -- something like \encbind -- or have the ability to mix > encrypted and unencrypted parameters? For pg_dump, I'd like a mode that makes all values parameters of an INSERT statement. But obviously not all of those will be encrypted. So I think we'd want a per-parameter syntax. > More concretely: should psql allow you to push arbitrary text into an > encrypted \bind parameter, like it does now? We don't have any data type awareness like that now in psql or libpq. It would be quite a change to start now. How would that deal with data type extensibility, is an obvious question to start with. Don't know.