On the Road to TDE: David Christensen & Stephen Frost - PGCon 2023

Transcription Summary

• Encryption: The talk discusses the idea of Transparent Data Encryption (TDE) for Postgres, specifically focusing on encrypting heap and index data, as well as log data.
• Key challenges: The speaker highlights the difficulty of implementing TDE due to the sheer volume of data, the need for a Key Management System (KMS), and the complexity of handling encryption keys.
• Page format: The speaker proposes using the page format to enable encryption, allowing for easier implementation and leveraging existing code.
• Authentication: Authentication is a crucial aspect of TDE, requiring additional tags and checksums to ensure data integrity.
• KMS: A KMS is necessary for TDE, allowing for secure key management and rotation.
• Volume: The speaker notes that the volume of data is a significant challenge in implementing TDE.
• Shared buffer pool: The shared buffer pool is discussed as a potential area for improvement, allowing for better memory allocation and usage.
• Per-page IV: The speaker proposes using a per-page IV instead of an LSN-based IV to mitigate potential risks.
• PGF: The speaker introduces the idea of a PGF (Page Feature) to enable encryption and other features on a per-page basis.
• Block size: The speaker notes that block size is an important consideration in TDE, with the possibility of supporting multiple block sizes.
• Multitenancy: The speaker touches on the possibility of multitenancy in TDE, allowing for separate encryption keys and features for different tenants.
• TDE non-goal: The speaker expresses interest in implementing the TDE non-goal, which involves vaulting tools and using encryption independently of TDE.