database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-26 01:22:12 +03:00
Code Activity

Add key management system

Browse Source 
This adds a key management system that stores (currently) two data
encryption keys of length 128, 192, or 256 bits.  The data keys are
AES256 encrypted using a key encryption key, and validated via GCM
cipher mode.  A command to obtain the key encryption key must be
specified at initdb time, and will be run at every database server
start.  New parameters allow a file descriptor open to the terminal to
be passed.  pg_upgrade support has also been added.

Discussion: https://postgr.es/m/CA+fd4k7q5o6Nc_AaX6BcYM9yqTbC6_pnH-6nSD=54Zp6NBQTCQ@mail.gmail.com
Discussion: https://postgr.es/m/20201202213814.GG20285@momjian.us

Author: Masahiko Sawada, me, Stephen Frost
This commit is contained in:
Bruce Momjian
2020-12-25 10:19:44 -05:00
parent 5c31afc49d
commit 978f869b99
49 changed files with 2091 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/backend/bootstrap/bootstrap.c
View File

@ -28,12 +28,14 @@
#include "catalog/pg_collation.h"
#include "catalog/pg_type.h"
#include "common/link-canary.h"
#include "crypto/kmgr.h"
#include "libpq/pqsignal.h"
#include "miscadmin.h"
#include "nodes/makefuncs.h"
#include "pg_getopt.h"
#include "pgstat.h"
#include "postmaster/bgwriter.h"
#include "postmaster/postmaster.h"
#include "postmaster/startup.h"
#include "postmaster/walwriter.h"
#include "replication/walreceiver.h"
@ -51,6 +53,8 @@
#include "utils/relmapper.h"
uint32 bootstrap_data_checksum_version = 0; /* No checksum */
int bootstrap_file_encryption_keylen = 0; /* disabled */
char *bootstrap_old_key_datadir = NULL; /* disabled */
static void CheckerModeMain(void);
@ -224,7 +228,7 @@ AuxiliaryProcessMain(int argc, char *argv[])
/* If no -x argument, we are a CheckerProcess */
MyAuxProcType = CheckerProcess;
while ((flag = getopt(argc, argv, "B:c:d:D:Fkr:x:X:-:")) != -1)
while ((flag = getopt(argc, argv, "B:c:d:D:FkK:r:R:u:x:X:-:")) != -1)
{
switch (flag)
{
@ -253,9 +257,18 @@ AuxiliaryProcessMain(int argc, char *argv[])
case 'k':
bootstrap_data_checksum_version = PG_DATA_CHECKSUM_VERSION;
break;
case 'K':
bootstrap_file_encryption_keylen = atoi(optarg);
break;
case 'u':
bootstrap_old_key_datadir = pstrdup(optarg);
break;
case 'r':
strlcpy(OutputFileName, optarg, MAXPGPATH);
break;
case 'R':
terminal_fd = atoi(optarg);
break;
case 'x':
MyAuxProcType = atoi(optarg);
break;
@ -312,6 +325,12 @@ AuxiliaryProcessMain(int argc, char *argv[])
proc_exit(1);
}
if (bootstrap_file_encryption_keylen != 0 &&
bootstrap_file_encryption_keylen != 128 &&
bootstrap_file_encryption_keylen != 192 &&
bootstrap_file_encryption_keylen != 256)
elog(PANIC, "unrecognized file encryption length: %d", bootstrap_file_encryption_keylen);
switch (MyAuxProcType)
{
case StartupProcess: