Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pefQL-00017g-6o for pgsql-hackers@arkaria.postgresql.org; Tue, 21 Mar 2023 17:05:25 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1pefQK-0002nB-0O for pgsql-hackers@arkaria.postgresql.org; Tue, 21 Mar 2023 17:05:24 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pefQJ-0002n2-5o for pgsql-hackers@lists.postgresql.org; Tue, 21 Mar 2023 17:05:23 +0000 Received: from new1-smtp.messagingengine.com ([66.111.4.221]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pefQG-0000FU-8E for pgsql-hackers@postgresql.org; Tue, 21 Mar 2023 17:05:22 +0000 Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailnew.nyi.internal (Postfix) with ESMTP id 1CC3E582131; Tue, 21 Mar 2023 13:05:19 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Tue, 21 Mar 2023 13:05:19 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1679418319; x=1679425519; bh=6RFjrkKzYiaKdr5UuU41G+RLe829QSHdlEX KF12KVQY=; b=f2kScjwFSeYaRvUnxMl64gsa4ar4OlGojAUM80ZYTsJuRsic59v Nbl9sYJEettCKl3XtmeAIS8hkwYQyt2xuKkH/upACvwSc+jH3q+ixB67yTWGLKQ7 Gagoxl6snBw53123TOXOycv5uOiw0DthUXsE/LDGApzkf+OpWiShPW4PVIg0hIXA xEdMr0Ns6Yu3rfAskzgg12UaaqZpFXfNHWz2vXu3jihbgkJPo3tppM93pWCQoEGA XWWLblM0VmT1LiuGggrAYVBWnojFfEjA21xJz0IUItqfPy/6RUlcjtgFFMAsvC1B ZzbQ5cb7KeSxRsoSMjhWHKcZwBQaDZSgowQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvdegtddgleehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepkfffgggfuffvvehfhfgjtgfgsehtjeertddtfeejnecuhfhrohhmpefrvght vghrucfgihhsvghnthhrrghuthcuoehpvghtvghrrdgvihhsvghnthhrrghuthesvghnth gvrhhprhhishgvuggsrdgtohhmqeenucggtffrrghtthgvrhhnpeduveeghfevteeihfei fedutdeiueegffetieekveekheehieefkeeileeftdfgheenucffohhmrghinhepphhosh htghhrrdgvshenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhr ohhmpehpvghtvghrrdgvihhsvghnthhrrghuthesvghnthgvrhhprhhishgvuggsrdgtoh hm X-ME-Proxy: Feedback-ID: i131946ab:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 21 Mar 2023 13:05:17 -0400 (EDT) Message-ID: Date: Tue, 21 Mar 2023 18:05:15 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.9.0 Subject: Re: Transparent column encryption Content-Language: en-US To: Andres Freund Cc: pgsql-hackers References: <1034b6f1-ccab-8a22-c843-71104ebedf01@enterprisedb.com> <40c43d0d-ae4b-fe34-2667-771b3718384e@enterprisedb.com> <47e17f03-6595-6c09-8978-7a1581cad6f2@enterprisedb.com> <7a430d89-233b-5cd7-6892-9fed06695d39@enterprisedb.com> <20230312001125.ijeu4imbwlhj5flf@awork3.anarazel.de> <43a88695-5e0b-4379-94cf-0392fdea4be9@enterprisedb.com> <20230313204119.4mkepdvixcxrwpsc@awork3.anarazel.de> <20230313211108.zge6vnqukexkih62@awork3.anarazel.de> <20230316163648.q3wgjinmad6225t3@awork3.anarazel.de> From: Peter Eisentraut In-Reply-To: <20230316163648.q3wgjinmad6225t3@awork3.anarazel.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 16.03.23 17:36, Andres Freund wrote: > Maybe a daft question, but why do we need a separate type and typmod for > encrypted columns? Why isn't the fact that the column is encrypted exactly one > new field, and we use the existing type/typmod fields? The way this is implemented is that for an encrypted column, the real atttypid and atttypmod are one of the encrypted special types (pg_encrypted_*). That way, most of the system doesn't need to care about the details of encryption or whatnot, it just unpacks tuples etc. by looking at atttypid, atttyplen, etc., and queries on encrypted data behave normally by just looking at what operators etc. those types have. This approach heavily contains the number of places that need to know about this feature at all. >> Do we need to decouple tuple descriptors from pg_attribute altogether? > > Yes. Very clearly. The amount of memory and runtime we spent on tupledescs is > disproportionate. A second angle is that we build tupledescs way way too > frequently. The executor infers them everywhere, so not even prepared > statements protect against that. > > >> How do we decide what goes into the tuple descriptor and what does not? I'm >> interested in addressing this, because obviously we do want the ability to >> add more features in the future, but I don't know what the direction should >> be. > > We've had some prior discussion around this, see e.g. > https://postgr.es/m/20210819114435.6r532qbadcsyfscp%40alap3.anarazel.de This sounds like a good plan.