Greetings, * Bruce Momjian (br...@momjian.us) wrote: > On Wed, Oct 6, 2021 at 03:17:00PM -0400, Stephen Frost wrote: > > * Bruce Momjian (br...@momjian.us) wrote: > > > On Tue, Oct 5, 2021 at 04:29:25PM -0400, Bruce Momjian wrote: > > > > On Tue, Sep 28, 2021 at 12:30:02PM +0300, Ants Aasma wrote: > > > > > On Mon, 27 Sept 2021 at 23:34, Bruce Momjian <br...@momjian.us> wrote: > > > > > We are still working on our TDE patch. Right now the focus is on > > > > > refactoring > > > > > temporary file access to make the TDE patch itself smaller. > > > > > Reconsidering > > > > > encryption mode choices given concerns expressed is next. Currently a > > > > > viable > > > > > option seems to be AES-XTS with LSN added into the IV. XTS doesn't > > > > > have an > ----------------------------------------------------- > > > > > issue with predictable IV and isn't totally broken in case of IV > > > > > reuse. > > > > > > > > Uh, yes, AES-XTS has benefits, but since it is a block cipher, previous > > > > 16-byte blocks affect later blocks, meaning that hint bit changes would > > > > also affect later blocks. I think this means we would need to write WAL > > > > full page images for hint bit changes to avoid torn pages. Right now > > > > hint bit (single bit) changes can be lost without causing torn pages. > > > > This was another of the advantages of using a stream cipher like CTR. > > > > > > Another problem caused by block mode ciphers is that to use the LSN as > > > part of the nonce, the LSN must not be encrypted, but you then have to > > > find a 16-byte block in the page that you don't need to encrypt. > > > > With AES-XTS, we don't need to use the LSN as part of the nonce though, > > so I don't think this argument is actually valid..? As discussed > > previously regarding AES-XTS, the general idea was to use the path to > > the file and the filename itself plus the block number as the IV, and > > that works fine for XTS because it's ok to reuse it (unlike with CTR). > > Yes, I would prefer we don't use the LSN. I only mentioned it since > Ants Aasma mentioned LSN use above.
Ohhh, apologies for missing that, makes more sense now. Thanks! Stephen
signature.asc
Description: PGP signature