On Thu, Feb 6, 2020 at 4:37 PM Cary Huang <cary.hu...@highgo.ca> wrote: > Since the user does not need to know the master secret key used to cipher the > data, I don't think we should expose "pg_kmgr_unwrap("xxxx")" SQL function to > the user at all. > The wrapped key "xxxx" is stored in control data and it is possible to obtain > by malicious user and steal the key by running SELECT pg_kmgr_unwrap("xxxx"). > Even the user is righteous, it may not be very straightforward for that user > to obtain the wrapped key "xxxx" to use in the unwrap function.
I agree. > so instead of: > ------------------ > INSERT INTO tbl VALUES (pg_encrypt('user data', pg_kmgr_unwrap('xxxxx')); > SELECT pg_decrypt(secret_column, pg_kmgr_unwrap('xxxxx')) FROM tbl; > > it would become: > ------------------ > INSERT INTO tbl VALUES (pg_encrypt('user data', 'cluster_pass_phrase'); > SELECT pg_decrypt(secret_column, 'cluster_pass_phrase') FROM tbl; The second one is certainly better than the first one, as it prevents the key from being stolen. It's still pretty bad, though, because the supposedly-secret passphrase will end up in the server log. I have a hard time believing that this feature as currently proposed is worth anything. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company