Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PoC: PG-1442 Encrypt catalog tables using the default key #58

Draft
wants to merge 2 commits into
base: TDE_REL_17_STABLE
Choose a base branch
from
Draft

PoC: PG-1442 Encrypt catalog tables using the default key #58

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
76b646f
WIP: PG-1442 Enable encryption of catalog tables
jeltz Feb 11, 2025
caa68bd
WIP: PG-1442 Ugly fix
jeltz Feb 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion ci_scripts/tde_setup_global.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,10 @@ CREATE SCHEMA tde;
CREATE EXTENSION IF NOT EXISTS pg_tde SCHEMA tde;

SELECT tde.pg_tde_add_global_key_provider_file('reg_file-global', '/tmp/pg_tde_test_keyring.per');
SELECT tde.pg_tde_set_server_principal_key('global-principal-key', 'reg_file-global');
SELECT tde.pg_tde_set_server_principal_key('wal-principal-key', 'reg_file-global');
ALTER SYSTEM SET pg_tde.wal_encrypt = on;
ALTER SYSTEM SET default_table_access_method = 'tde_heap';
ALTER SYSTEM SET search_path = "$user",public,tde;
CHECKPOINT;
SELECT tde.pg_tde_set_default_principal_key('default-principal-key', 'reg_file-global', false);
-- restart required
9 changes: 6 additions & 3 deletions contrib/pg_tde/expected/default_principal_key.out
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,11 +47,14 @@ SELECT current_database() AS regress_database
CREATE DATABASE regress_pg_tde_other;
\c regress_pg_tde_other
CREATE EXTENSION pg_tde;
-- Should fail: no principal key for the database yet
-- TODO
SELECT key_provider_id, key_provider_name, principal_key_name
FROM pg_tde_principal_key_info();
ERROR: Principal key does not exists for the database
HINT: Use set_principal_key interface to set the principal key
key_provider_id | key_provider_name | principal_key_name
-----------------+-------------------+-----------------------
-3 | file-provider | default-principal-key
(1 row)

-- Should succeed: "localizes" the default principal key for the database
CREATE TABLE test_enc(
id SERIAL,
Expand Down
2 changes: 1 addition & 1 deletion contrib/pg_tde/sql/default_principal_key.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ CREATE DATABASE regress_pg_tde_other;

CREATE EXTENSION pg_tde;

-- Should fail: no principal key for the database yet
-- TODO
SELECT key_provider_id, key_provider_name, principal_key_name
FROM pg_tde_principal_key_info();

Expand Down
11 changes: 5 additions & 6 deletions contrib/pg_tde/src/smgr/pg_tde_smgr.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,19 +41,18 @@ tde_smgr_get_key(SMgrRelation reln, RelFileLocator *old_locator, bool can_create
TdeCreateEvent *event;
InternalKey *key;

if (IsCatalogRelationOid(reln->smgr_rlocator.locator.relNumber))
{
/* do not try to encrypt/decrypt catalog tables */
return NULL;
}

/* see if we have a key for the relation, and return if yes */
key = GetSMGRRelationKey(reln->smgr_rlocator);
if (key != NULL)
{
return key;
}

if (IsCatalogRelationOid(reln->smgr_rlocator.locator.relNumber) && can_create)
{
return pg_tde_create_smgr_key(&reln->smgr_rlocator);
}

event = GetCurrentTdeCreateEvent();

/*
Expand Down
Loading