Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PoC: PG-1442 Encrypt catalog tables using the default key #58

Draft
wants to merge 2 commits into
base: TDE_REL_17_STABLE
Choose a base branch
from
Draft

PoC: PG-1442 Encrypt catalog tables using the default key #58

wants to merge 2 commits into from

Conversation

jeltz
Copy link
Collaborator

@jeltz jeltz commented Feb 11, 2025

Quick and dirty PoC which implements encryption of the system catalog if there is a default key configured. To test it do the following.

CREATE DATABASE foo;

CREATE EXTENSION IF NOT EXISTS pg_tde;
SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-provider','/tmp/default.per');
SELECT pg_tde_set_default_principal_key('default-principal-key', 'PG_TDE_GLOBAL', 'file-provider', false);

CREATE DATABASE bar;

CHECKPOINT;

In foo:

CREATE TABLE zzz_foo AS SELECT generate_series(1, 10000); CHECKPOINT;

In bar:

CREATE TABLE zzz_bar AS SELECT generate_series(1, 10000); CHECKPOINT;

Check:

$ strings data/base/16384/1259 | grep ^pg_ | wc -l
484
$ strings data/base/16384/1259 | grep zzz
zzz_foo
$ strings data/base/16452/1259 | grep ^pg_ | wc -l
0
$ strings data/base/16452/1259 | grep zzz

@jeltz jeltz requested review from dutow and dAdAbird as code owners February 11, 2025 21:40
@jeltz jeltz force-pushed the tde/catalog-encryption branch 2 times, most recently from 2369fcd to f59281b Compare February 11, 2025 21:58
@jeltz jeltz force-pushed the tde/catalog-encryption branch 6 times, most recently from 672c4cf to 0ff6fe2 Compare February 13, 2025 13:11
@jeltz jeltz marked this pull request as draft February 17, 2025 11:47
@jeltz jeltz force-pushed the tde/catalog-encryption branch 4 times, most recently from 65abf43 to 7a9209d Compare March 4, 2025 16:47
@jeltz jeltz changed the title PoC: Encrypt catalog tables using the default key PoC: PG-1442 Encrypt catalog tables using the default key Mar 12, 2025
@jeltz jeltz force-pushed the tde/catalog-encryption branch from 7a9209d to c314b01 Compare March 12, 2025 16:09
@jeltz jeltz force-pushed the tde/catalog-encryption branch from c314b01 to caa68bd Compare March 22, 2025 11:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dutow dutow dutow left review comments

@dAdAbird dAdAbird Awaiting requested review from dAdAbird dAdAbird is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jeltz @dutow