On Thu, Oct 7, 2021 at 10:28:55AM -0400, Robert Haas wrote: > However, there's also the option of storing a nonce in each page, as > suggested by the subject of this thread. I think that's probably a > pretty workable approach, as demonstrated by the patch that started > this thread. We'd need to think a bit carefully about whether any of > the compile-time calculations the patch moves to runtime are expensive > enough to matter and whether any such impacts can be mitigated, but I > think there is a good chance that such issues are manageable. > > I'm a little concerned by the email from "Sasasu" saying that even in > XTS reusing the IV is not cryptographically weak. I don't know enough > about these different encryption modes to know if he's right, but if > he is then perhaps we need to consider his suggestion of using > AES-GCM. Or, uh, something else.
I continue to be concerned that a page format change will decrease the desirability of this feature by making migration complex and increasing its code complexity. I am unclear if it is necessary. I think the big question is whether XTS with db/relfilenode/blocknumber is sufficient as an IV without a nonce that changes for updates. -- Bruce Momjian <br...@momjian.us> https://momjian.us EDB https://enterprisedb.com If only the physical world exists, free will is an illusion.
