On Sat, Jul 20, 2019 at 07:30:30PM +0200, Tomas Vondra wrote: > Forbid checksums? I don't see how that could be acceptable. We either have > to accept the limitations of the current design (having to decrypt > everything before checking the checksums) or change the design.
Yes, checksums certainly have to work. > I personally think we should do the latter - not just because of this > "decrypt-then-verify" issue, but consider how much work we've done to > allow enabling checksums on-line (it's still not there, but it's likely > doable in PG13). How are we going to do that with encryption? ISTM we > should design it so that we can enable encryption on-line too - maybe not > in v1, but it should be possible. So how are we going to do that? With > checksums it's (fairly) easy because we can "not verify" the page before > we know all pages have a checksum, but with encryption that's not > possible. And if the whole page is encrypted, then what? Well, I assumed we would start with a command-line offline tool to add/remove encryption, and I assumed the command-line tool pg_checksums would use the same code to decrypt the page to add/remove checksums and rewrite it. I don't think we will ever allow add/remove encryption in online mode. Does that help? -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +
