On Wed, Oct 6, 2021 at 3:17 PM Stephen Frost <sfr...@snowman.net> wrote: > With AES-XTS, we don't need to use the LSN as part of the nonce though, > so I don't think this argument is actually valid..? As discussed > previously regarding AES-XTS, the general idea was to use the path to > the file and the filename itself plus the block number as the IV, and > that works fine for XTS because it's ok to reuse it (unlike with CTR).
However, there's also the option of storing a nonce in each page, as suggested by the subject of this thread. I think that's probably a pretty workable approach, as demonstrated by the patch that started this thread. We'd need to think a bit carefully about whether any of the compile-time calculations the patch moves to runtime are expensive enough to matter and whether any such impacts can be mitigated, but I think there is a good chance that such issues are manageable. I'm a little concerned by the email from "Sasasu" saying that even in XTS reusing the IV is not cryptographically weak. I don't know enough about these different encryption modes to know if he's right, but if he is then perhaps we need to consider his suggestion of using AES-GCM. Or, uh, something else. -- Robert Haas EDB: http://www.enterprisedb.com