> -----Original Message----- > From: Stephen Frost <sfr...@snowman.net> Sent: Friday, 16 August 2019 11:01 AM
> Having direct integration with a KMS would certainly be valuable, and I don't > see a reason to deny users that option if someone would like to spend time > implementing it- in addition to a simpler mechanism such as a passphrase > command, which I believe is what was being suggested here. Yes. We recently made an internal PoC for FEP to enable it to reach out to AWS KMS whenever the MKEY was rotated or TDKEY was created. This was achieved by inserting some hooks in our TDE code - these hooks were implemented by a contrib-module loaded by the shared_preload_libraries GUC variable. So when no special "tdekey_aws" module was loaded, our TDE functionality simply reverts to its default (random) MDEK/TDEK keys. Even if OSS community chooses not to implement any KMS integration, the TDE design could consider providing hooks in a few appropriate places to make it easy for people who may need to add their own later. Regards, --- Peter Smith Fujitsu Australia
