Hello Stephen,
The implementations should not have to be in any particular language: Shell,
Perl, Python, C should be possible.
I disagree that it makes any sense to pass actual encryption out to a
shell script.
Yes, sure. I'm talking about key management. For actual crypto functions,
ISTM that they should be "replaceable", i.e. if some institution does not
believe in AES then they could switch to something else.
After giving it more thought during the day, I think that only one
command and a basic protocol is needed. Maybe something as simple as
/path/to/command --options arguments…
This is what's proposed- a command is run to acquire the KEK (as a hex
encoded set of bytes, making it possible to use a shell script, which is
what the patch does too).
Yep, but that is not what I'm trying to advocate. The "KEK" (if any),
would stay in the process, not be given back to the database or command
using it. Then the database/tool would interact with the command to get
the actual per-file keys when needed.
[...] The API to fetch the KEK doesn't care at all about where it's
stored or how it's derived or anything like that.
There's a relatively small change which could be made to have PG request
all of the keys that it'll need on startup, if we want to go there as
has been suggested elsewhere, but even if we do that, PG needs to be
able to do that itself too, otherwise it's not a complete capability and
there seems little point in doing something that's just a pass-thru to
something else and isn't able to really be used.
I do not understand. Postgres should provide a working implementation,
whether the functions are directly inside pg or though an external
process, they need to be there anyway. I'm trying to fix a clean, possibly
external API so that it is possible to have something different from the
choices made in the patch.
--
Fabien.
