Add key management system

This adds a key management system that stores (currently) two data encryption keys of length 128, 192, or 256 bits. The data keys are AES256 encrypted using a key encryption key, and validated via GCM cipher mode. A command to obtain the key encryption key must be specified at initdb time, and will be run at every database server start. New parameters allow a file descriptor open to the terminal to be passed. pg_upgrade support has also been added. Discussion: https://postgr.es/m/CA+fd4k7q5o6Nc_AaX6BcYM9yqTbC6_pnH-6nSD=54Zp6NBQTCQ@mail.gmail.com Discussion: https://postgr.es/m/20201202213814.GG20285@momjian.us Author: Masahiko Sawada, me, Stephen Frost
author: Bruce Momjian <bruce@momjian.us> 2020-12-25 10:19:44 -0500
committer: Bruce Momjian <bruce@momjian.us> 2020-12-25 10:19:44 -0500
commit: 978f869b992f9fca343e99d6fdb71073c76e869a (patch)
tree: b8020240551aa16da5b4fc9fbf96710de2d667e4 /src/backend/utils/misc/guc.c
parent: 5c31afc49d0b62b357218b6f8b01782509ef8acd (diff)
1 files changed, 24 insertions, 0 deletions
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 878fcc22365..bbaf037bc6e 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -47,6 +47,7 @@
 #include "commands/vacuum.h"
 #include "commands/variable.h"
 #include "common/string.h"
+#include "crypto/kmgr.h"
 #include "funcapi.h"
 #include "jit/jit.h"
 #include "libpq/auth.h"
@@ -745,6 +746,8 @@ const char *const config_group_names[] =
 	gettext_noop("Statistics / Monitoring"),
 	/* STATS_COLLECTOR */
 	gettext_noop("Statistics / Query and Index Statistics Collector"),
+	/* ENCRYPTION */
+	gettext_noop("Encryption"),
 	/* AUTOVACUUM */
 	gettext_noop("Autovacuum"),
 	/* CLIENT_CONN */
@@ -3389,6 +3392,17 @@ static struct config_int ConfigureNamesInt[] =
 		check_huge_page_size, NULL, NULL
 	},
 
+	{
+		{"file_encryption_keylen", PGC_INTERNAL, PRESET_OPTIONS,
+		 gettext_noop("Shows the bit length of the file encryption key."),
+		 NULL,
+		 GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
+		},
+		&file_encryption_keylen,
+		0, 0, 256,
+		NULL, NULL, NULL
+	},
+
 	/* End-of-list marker */
 	{
 		{NULL, 0, 0, NULL, NULL}, NULL, 0, 0, 0, NULL, NULL, NULL
@@ -4384,6 +4398,16 @@ static struct config_string ConfigureNamesString[] =
 	},
 
 	{
+		{"cluster_key_command", PGC_SIGHUP, ENCRYPTION,
+			gettext_noop("Command to obtain cluster key for cluster file encryption."),
+			NULL
+		},
+		&cluster_key_command,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
 		{"application_name", PGC_USERSET, LOGGING_WHAT,
 			gettext_noop("Sets the application name to be reported in statistics and logs."),
 			NULL,
author	Bruce Momjian <bruce@momjian.us>	2020-12-25 10:19:44 -0500
committer	Bruce Momjian <bruce@momjian.us>	2020-12-25 10:19:44 -0500
commit	978f869b992f9fca343e99d6fdb71073c76e869a (patch)
tree	b8020240551aa16da5b4fc9fbf96710de2d667e4 /src/backend/utils/misc/guc.c
parent	5c31afc49d0b62b357218b6f8b01782509ef8acd (diff)