On the Road to TDE: David Christensen & Stephen Frost - PGCon 2023

David Christensen and Stephen Frost

Discover the challenges and solutions of implementing Transparent Data Encryption (TDE) for Postgres, including encryption, key management, and authentication, in this PGCon 2023 talk.

Key takeaways

Transcription Summary

  • Encryption: The talk discusses the idea of Transparent Data Encryption (TDE) for Postgres, specifically focusing on encrypting heap and index data, as well as log data.
  • Key challenges: The speaker highlights the difficulty of implementing TDE due to the sheer volume of data, the need for a Key Management System (KMS), and the complexity of handling encryption keys.
  • Page format: The speaker proposes using the page format to enable encryption, allowing for easier implementation and leveraging existing code.
  • Authentication: Authentication is a crucial aspect of TDE, requiring additional tags and checksums to ensure data integrity.
  • KMS: A KMS is necessary for TDE, allowing for secure key management and rotation.
  • Volume: The speaker notes that the volume of data is a significant challenge in implementing TDE.
  • Shared buffer pool: The shared buffer pool is discussed as a potential area for improvement, allowing for better memory allocation and usage.
  • Per-page IV: The speaker proposes using a per-page IV instead of an LSN-based IV to mitigate potential risks.
  • PGF: The speaker introduces the idea of a PGF (Page Feature) to enable encryption and other features on a per-page basis.
  • Block size: The speaker notes that block size is an important consideration in TDE, with the possibility of supporting multiple block sizes.
  • Multitenancy: The speaker touches on the possibility of multitenancy in TDE, allowing for separate encryption keys and features for different tenants.
  • TDE non-goal: The speaker expresses interest in implementing the TDE non-goal, which involves vaulting tools and using encryption independently of TDE.