Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mcDdU-0003eb-Gy for pgsql-hackers@arkaria.postgresql.org; Sun, 17 Oct 2021 21:24:04 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1mcDdS-0007Lt-Ig for pgsql-hackers@arkaria.postgresql.org; Sun, 17 Oct 2021 21:24:02 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mcDdR-0007Lj-Uy for pgsql-hackers@lists.postgresql.org; Sun, 17 Oct 2021 21:24:02 +0000 Received: from mail-ed1-x536.google.com ([2a00:1450:4864:20::536]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1mcDdK-0007OU-3Z for pgsql-hackers@postgresql.org; Sun, 17 Oct 2021 21:24:01 +0000 Received: by mail-ed1-x536.google.com with SMTP id a25so62742107edx.8 for ; Sun, 17 Oct 2021 14:23:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=niroNdfA/TEc2JZi2NfwdqSho1R/LQtPQw1MFHfELEg=; b=Se72schXS2YQD97jsJZO6CeNmu17V+RiPmrbPgHV6692RcpEF/cR8ZBGvnXAqUKjQA afzCREu+yBiexxmlbJxeQJvh4ebjSKR00hBuhjeAlb1jaA6vQQKWpOBQTwhrbyaMBu2s qdA8yapqwCzZHkcEXaMIgcimDwYTVhSAvUjEhJEoT5ZBR3dJL3N4mHSoiEVtrBnufWv6 Rq06lKkiAO745hRLqb4XanPPi53DXxmKvdp0I5KvlF5ZJgrz6/GluIlCTbvg5WAh0CWK SnLz9jMmD9JsgLf66kaqtPDrBTNeTGNDPeRKpIKZFxNcbFZTZnvn5kzGHTckA3R9YNAO vBMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=niroNdfA/TEc2JZi2NfwdqSho1R/LQtPQw1MFHfELEg=; b=usOXMuBLND1gsOqPCYVTFHyf2it2qazuqegSAto6guAv2xOXnI3+gqZYZ5cydBdbJd GIMp6rK5XKmV0SxHcc0m5QKtBPp3D8Lh9FXeQBxpUul0HjSx4ZXR/ko4VzPsTP5LxfXf LFm1LmdGMcJzjOW/PdpqO8W0LGDQP2Lh/WBPgcgGNYzllNFZIxbqZCTImHOCbndoWEdE 6mbPLOjERK2zziVQzJDDURAhq0+cYXucBeMvZ8yh03zN0ovZN8jTb6U0BK3cW4TsmFV7 Nbi+bk9gZfuIzaPkOn5XeDU91L5szSG62Q8a3axYtId+Pf7PIVDldoD/kRPP4T/RFePL NAlA== X-Gm-Message-State: AOAM531Gt69vV9U4CIi+PC7Gldys1jASWBc67DD01le8MtqLqjGCVylc wDRATctxSeG2Yodpx18o+M7vctwCyLL//FxYPKKmms35ThJj89uAODCUFvhYDqnN6i6j2Ip0wMv N3ZAdbcDRhkqk3UWOhD5OBNbsCeOqvERL4N5R+m7cSP2QjOItxPtgBctcs/l1XFHwvNfb5Hf0bf om5qW6Qhq1T/aIEmxhxngqliCG2YxjEQeoKO7/ X-Google-Smtp-Source: ABdhPJyRviQah5iytg6zWGXNM9LW2ibkdREWK0SfufQhlqjwDDjN2v0pezQ86FbWH31oXikD/OAQ0A== X-Received: by 2002:a50:e183:: with SMTP id k3mr39289427edl.22.1634505832434; Sun, 17 Oct 2021 14:23:52 -0700 (PDT) Received: from [10.137.0.18] (ip-86-49-251-104.net.upcbroadband.cz. [86.49.251.104]) by smtp.gmail.com with ESMTPSA id h9sm7883962ejy.108.2021.10.17.14.23.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 17 Oct 2021 14:23:52 -0700 (PDT) Message-ID: Date: Sun, 17 Oct 2021 23:23:49 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.1.0 Subject: Re: XTS cipher mode for cluster file encryption Content-Language: en-US To: Bruce Momjian , Andres Freund Cc: Stephen Frost , PostgreSQL-development References: <20211013222648.GA373@momjian.us> <20211015192248.GP20998@tamriel.snowman.net> <80dddd73-ae23-0481-53ad-d37f8b51c86a@enterprisedb.com> <20211016141625.GA8190@momjian.us> <20211016161505.jj3uoe75avwo6vbk@alap3.anarazel.de> <20211016162851.GB8190@momjian.us> From: Tomas Vondra In-Reply-To: <20211016162851.GB8190@momjian.us> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor X-CLOUD-SEC-AV-Sent: true X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 10/16/21 18:28, Bruce Momjian wrote: > On Sat, Oct 16, 2021 at 09:15:05AM -0700, Andres Freund wrote: >> Hi, >> >> On 2021-10-16 10:16:25 -0400, Bruce Momjian wrote: >>> As a final comment to Andres's email, adding a GCM has the problems >>> above, plus it wouldn't detect changes to pg_xact, fsm, vm, etc, which >>> could also affect the integrity of the data. Someone could also restore >>> and old copy of a patch to revert a change, and that would not be >>> detected even by GCM. >> >>> I consider this a checkbox feature and making it too complex will cause >>> it to be rightly rejected. >> >> You're just deferring / hiding the complexity. For one, we'll need integrity >> before long if we add encryption support. Then we'll deal with a more complex >> on-disk format because there will be two different ways of encrypting. For >> another, you're spreading out the security analysis to a lot of places in the >> code and more importantly to future changes affecting on-disk data. >> I've argued for storing the nonce, but I don't quite see why would we need integrity guarantees? AFAICS the threat model the patch aims to address is an attacker who can observe the data (e.g. a low-privileged OS user), but can't modify the files. Which seems like a reasonable model for shared environments. IMO extending this to cases where the attacker can modify the data moves the goalposts quite significantly. And it's quite possible authenticated encryption would not be enough to prevent that, because that still works only at block level, and you can probably do a lot of harm with replay attacks (e.g. replacing blocks with older versions). And if you can modify the data directory / config files, what are the chances you can't just get access to the database, trace the processes or whatever? We already have a way to check integrity by storing page checksum, but I'm not sure if that's good enough (there's a lot of subtle issues with building proper AEAD scheme). regards -- Tomas Vondra EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company