On Tue, 24 Mar 2020 at 07:15, Bruce Momjian <br...@momjian.us> wrote: > > On Mon, Mar 23, 2020 at 03:55:34PM +0900, Masahiko Sawada wrote: > > On Sat, 21 Mar 2020 at 23:50, Bruce Momjian <br...@momjian.us> wrote: > > > Actually, I think we need three files: > > > > > > * TDE WAL key file > > > * TDE block key file > > > * SQL-level file > > > > > > Primaries and standbys have to use the same TDE WAL key file, but can > > > use different TDE block key files to allow for key rotation, so having > > > separate files makes sense --- maybe they need to be in their own > > > directory. > > > > I've considered to have separate key files once but it would make > > things complex to update multiple files atomically. Postgres server > > will never start if it crashes in the middle of cluster passphrase > > rotation. Can we consider to have keys related to TDE after we > > introduce the basic key management system? Probably having keys in a > > separate file rather than in pg_control file would be better but we > > don't need these keys so far. > > Well, we need to be able to upgrade this so we have to set it up now in > a way that allows that. > > I am not sure we have ever had a case where we needed to update multiple > files atomically at the same time, without the help of WAL. > > Perhaps we should put the three keys in separate files in a directory > called 'cryptokeys', and when we change the pass phrase, we create a new > directory called 'cryptokeys.new'. Then once we have created the files > in there with the new pass phrase, we remove cryptokeys and rename > directory cryptokeys.new to cryptokeys. On boot, if cryptokeys exists > and cryptokeys.new does too, remove cryptokeys.new because we crashed > during key rotation, If cryptokeys.new exists and cryptokeys doesn't, > we rename cryptokeys.new to cryptokeys because we crashed before the > rename.
That seems to work fine. So we will have pg_cryptokeys within PGDATA and each key is stored into separate file named the key id such as "sql", "tde-wal" and "tde-block". I'll update the patch and post. Regards, -- Masahiko Sawada http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services