Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix TOAST Initialization vector (#102)
Currently, we encrypt TOASTed data always with the offset 0. That is not secure. The offset should be unique. This commit replaces the 0 "offset" with TOAST's `va_valueid` (Unique ID of value within the TOAST table) during encryption. This `va_valueid` is available during the TOAST fetch which is crucial for the decryption. Using `va_valueid` as the starting offset don't protect from having IV overlaps for different TOASTs. We have to deal with that after the changes to heap IV. During the TOAST externalisation we insert a new tuple which shouldn't be encrypted as the backend will give this tuple to us during the TOAST fetch, hence fetched with non-TDE functions, besides TOAST data already encrypted. For that (insert non-encrypted tuple) I had to modify some TDE AM functions. `pg_tde_toast_save_datum()` was copied from the PG code and modified. Along with `toastrel_valueid_exists()` and `toastid_valueid_exists()`. For #101
- Loading branch information