Hi Bruce In ckey_passphrase.sh.sample
+ +echo "$PASS" | sha256sum | cut -d' ' -f1 + Under the threat model discussed, a copy of the keyfile could be attacked offline. So getting from passphrase to DEKs should be as resource intensive as possible to slow down brute-force attempts. Instead of just a SHA hash, this should be at least a PBKDF2 (PKCS#5) operation or preferably scrypt (which is memory intensive as well as computationally intensive). While OpenSSL provides these key derivation options for it's encoding operations, it does not offer a command line option for key derivation using them. What's your view on including third party utilities like nettlepbkdf in the sample or providing this utility as a compiled program? In the same theme - in ossl_cipher_ctx_create and the functions using that context should rather be using the key-wrapping variants of the cipher. As well as lower throughput, with the resulting effects on brute force attempts, the key wrap variants provide more robust ciphertext output " KW, KWP, and TKW are each robust in the sense that each bit of output can be expected to depend in a nontrivial fashion on each bit of input, even when the length of the input data is greater than one block. This property is achieved at the cost of a considerably lower throughput rate, compared to other authenticated-encryption modes, but the tradeoff may be appropriate for some key management applications. For example, a robust method may be desired when the length of the keys to be protected is greater than the block size of the underlying block cipher, or when the value of the protected data is very high. " - NIST SP 800-38F and aim to manage the risk of short or predictable IVs ([1] final para of page 1) On Tue, 22 Dec 2020 at 15:40, Bruce Momjian <br...@momjian.us> wrote: > > Here is an updated patch. Are people happy with the Makefile, its > location in the source tree, and the install directory name? I used the > directory name 'auth_commands' because I thought 'auth' was too easily > misinterpreted. I put the scripts in /src/backend/utils/auth_commands. > What's implemented in these patches is an internal keystore, wrapped with a key derived from a passphrase. I'd think that the scripts directory should reflect what they interact with, so 'keystore_commands' or 'local_keystore_command' sounds more specific and therefore better than 'auth_commands'. Regards Alastair [1] https://web.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
