On Mon, Aug 26, 2019 at 7:49 PM Joe Conway <m...@joeconway.com> wrote: > > On 8/26/19 2:53 AM, Masahiko Sawada wrote: > > I guess that this depends on the number of encryption keys we use. If > > we have encryption keys per tablespace or database the number of keys > > would be at most several dozen or several hundred. It's enough to have > > them in flat-file format on the disk and to load them to the hash > > table on the shared memory. We would not need a complex mechanism. > > OTOH if we have keys per tables, we would need to consider indexes and > > buffering as they might not fit in the memory. > > Master key(s) need to be kept in memory, but derived keys (using KDF) > would be calculated at time of use, I would think.
Yes, we can do that and the PoC patch does so. I'm rather concerned the salt and info to derive keys. We would need at least info, which could be OID perhaps, for each keys. Also these data need to be accessible by both frontend tool and startup process. If the info is very small data, say 4 byte of OID, we could have all of them on the memory even if we have keys per tables. Regards, -- Masahiko Sawada NIPPON TELEGRAPH AND TELEPHONE CORPORATION NTT Open Source Software Center
