Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1muc3e-0001vF-G3 for pgsql-hackers@arkaria.postgresql.org; Tue, 07 Dec 2021 15:07:06 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1muc3d-0005Nj-Co for pgsql-hackers@arkaria.postgresql.org; Tue, 07 Dec 2021 15:07:05 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1muc3d-0005NV-2L for pgsql-hackers@lists.postgresql.org; Tue, 07 Dec 2021 15:07:05 +0000 Received: from wout4-smtp.messagingengine.com ([64.147.123.20]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1muc3Z-00012n-A2 for pgsql-hackers@postgresql.org; Tue, 07 Dec 2021 15:07:04 +0000 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 9162B3201A3C; Tue, 7 Dec 2021 10:06:58 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Tue, 07 Dec 2021 10:06:58 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=kyupfq4oRA1887SL/IBUWCmmEYE3bkD5gaF/tH6+U bg=; b=GWsWRnzx8qxMkOPpr5uxFzlxSa6wh1JtMIJhtzwm2u4ulBY0e6tyKoJLf zafqNXsrukG2Uhe7YeopBx6iPk6FbiFVaLXIs5zJvVEwo5ViAcR0XWBWDD2zefhj AdEXj48VwOTnQobNe4en9tW3avF7/gPKqb0KLbuW6bTOdz6hsHP8bGwYfhWp3sPj CayVe5rqq/QEV0YQPOl8gH1LjofNIxrsNj8UqoA9c7y1jrQBUVIYw/+Yd5U6HQ9T 6CfcLRqkc+Xb8Qc30ObcovljbuszXBnGPo4DqO96luJCYzuPukyYkxiTfHp33k0d v0D7UzJI2d8DFZ93SUaShrq28uLxg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrjeehgdejgecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefkffggfgfuvfhfhfgjtgfgsehtjeertddtfeejnecuhfhrohhmpefrvghtvghr ucfgihhsvghnthhrrghuthcuoehpvghtvghrrdgvihhsvghnthhrrghuthesvghnthgvrh hprhhishgvuggsrdgtohhmqeenucggtffrrghtthgvrhhnpeefjeegheetuefhveevudel ueeftdejteeiffetvdduhfdtieefgfeutedtveeggfenucevlhhushhtvghrufhiiigvpe dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehpvghtvghrrdgvihhsvghnthhrrghuthes vghnthgvrhhprhhishgvuggsrdgtohhm X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 7 Dec 2021 10:06:56 -0500 (EST) Message-ID: Date: Tue, 7 Dec 2021 16:06:55 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.3.2 Subject: Re: Transparent column encryption Content-Language: en-US To: Robert Haas Cc: pgsql-hackers References: <89157929-c2b6-817b-6025-8e4b2d89d88f@enterprisedb.com> From: Peter Eisentraut In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 06.12.21 19:28, Robert Haas wrote: >> Speaking of parameter descriptions, the trickiest part of this whole >> thing appears to be how to get transparently encrypted data into the >> database (as opposed to reading it out). It is required to use >> protocol-level prepared statements (i.e., extended query) for this. > Why? If the client knows the CEK, can't the client choose to send > unprepared insert or update statements with pre-encrypted blobs? That > might be a bad idea from a security perspective because the encrypted > blob might then got logged, but we sometimes log parameters, too. The client can send something like PQexec(conn, "INSERT INTO tbl VALUES ('ENCBLOB', 'ENCBLOB')"); and it will work. (See the included test suite where 'ENCBLOB' is actually computed by pgcrypto.) But that is not transparent encryption. The client wants to send "INSERT INTO tbl VALUES ('val1', 'val2')" and have libpq take care of encrypting 'val1' and 'val2' before hitting the wire. For that you need to use the prepared statement API so that the values are available separately from the statement. And furthermore the client needs to know what columns the insert statements is writing to, so that it can get the CEK for that column. That's what it needs the parameter description for. As alluded to, workarounds exist or might be made available to do part of that work yourself, but that shouldn't be the normal way of using it.