public inbox for [email protected]  
help / color / mirror / Atom feed
From: Stephen Frost <[email protected]>
To: Bruce Momjian <[email protected]>
Cc: Andres Freund <[email protected]>
Cc: Antonin Houska <[email protected]>
Cc: PostgreSQL-development <[email protected]>
Cc: Robert Haas <[email protected]>
Cc: Sasasu <[email protected]>
Subject: Re: XTS cipher mode for cluster file encryption
Date: Tue, 1 Feb 2022 13:07:36 -0500
Message-ID: <CAOuzzgrp9fYTP_B4OgY89bdF+7-nFVexturcWYw6SChwva-E8A@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<[email protected]>
	<CA+TgmoaMHLXrxOj1HA+K=Z_qqgZUOpfdto8+QiVXsfP0ds+ojw@mail.gmail.com>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<18009.1638171451@antos>
	<[email protected]>
	<1781.1643697906@antos>
	<[email protected]>

Greetings,

On Tue, Feb 1, 2022 at 12:50 Bruce Momjian <[email protected]> wrote:

> On Tue, Feb  1, 2022 at 07:45:06AM +0100, Antonin Houska wrote:
> > > With pg_upgrade modified to preserve the relfilenode, tablespace oid,
> and
> > > database oid, we are now closer to implementing cluster file encryption
> > > using XTS.  I think we have a few steps left:
> > >
> > > 1.  modify temporary file I/O to use a more centralized API
> > > 2.  modify the existing cluster file encryption patch to use XTS with a
> > >     IV that uses more than the LSN
> > > 3.  add XTS regression test code like CTR
> > > 4.  create WAL encryption code using CTR
> > >
> > > If we can do #1 in PG 15 I think I can have #2 ready for PG 16 in July.
> > > The feature wiki page is:
> > >
> > >     https://wiki.postgresql.org/wiki/Transparent_Data_Encryption
> > >
> > > Do people want to advance this feature forward?
> >
> > I confirm that we (Cybertec) do and that we're ready to spend more time
> on the
> > community implementation.
>
> Well, I sent an email a week ago asking if people want to advance this
> feature forward, and so far you are the only person to reply, which I
> think means there isn't enough interest in this feature to advance it.


This confuses me. Clearly there’s plenty of interest, but asking on hackers
in a deep old sub thread isn’t a terribly good way to judge that.  Yet even
when there is an active positive response, you argue that there isn’t
enough.

In general, I agree that the items you laid out are what the next steps
are.  There are patches for some of those items already too and some of
them, such as consolidating the temporary file access, are beneficial even
without the potential to use them for encryption.

Instead of again asking if people want this feature (many, many, many do),
I’d encourage Antonin to start a new thread with the patch to do the
temporary file access consolidation which then provides a buffered access
and reduces the number of syscalls and work towards getting that committed,
ideally as part of this release.

Thanks,

Stephen

>


view thread (5+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: XTS cipher mode for cluster file encryption
  In-Reply-To: <CAOuzzgrp9fYTP_B4OgY89bdF+7-nFVexturcWYw6SChwva-E8A@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox