0%

GSoC 2022: pgmoneta On Disk Encryption

Posted on

TL, DR

Issue page.
Code refactoring pull request
All in one squashed pull request

Overview

pgmoneta is a backup / restore solution for PostgreSQL. The existing codebase already contains some encryption code used to encrypt passwords. I enhanced the encryption API, created new encryption workflow, and added cli options so that the encryption can be applied to wal and other data (e.g. config file). The documentation and benchmarking test are also provided for users to reference.

Contribution

Early Stage Investigation and Code Refactoring

At early stage, we discussed what encryption algorithms should be supported. As result, AES CBC mode and AES CTR mode are choosed for following reasons:

  • Advanced Encryption Standard Instruction Set (AES-NI) is now integrated into many processors. Hardware acceleration made AES outperform other algorithms.
  • CBC is supported because it is the most commonly used and considered save mode. Its main drawbacks are that encryption is sequential (decryption can be parallelized).
  • CTR is supported because both encryption and decryption are parallelizable. We offer user a faster encrtypt option.

After determining what algorithms to support, I moved existing aes code from security.h(c) to aes.h(c) before implement the feature.

Feature Implemention

Commits are squashed into one single pull request and you can check it here.

This is the most challenging part of the GSoC event. I spent lots of time understanding how the current event loop and workflow work. Debugging a multi-process program is a painful but fun experience and I learned a lot about gdb and addresssanitizer. Another challenge is handling complicated git workflow. I was always afraid to accidentally lose my changes when dealing with git. Participating GSoC and interacting with other people made me have a better understanding of git workflow.

Documentation and Benchmarking

The encryption feature is well documented. The configuration file parameter and its available options are listed in doc/CONFIGURATION.md. The comparison and choose of AES modes are described ENCRYPTION.md. The tutorial of perform a benchmarking test and test result also documented in ENCRYPTION.md.

Further Work

Track the issue page for details.

Acknowledgement

I am grateful to my mentor Jesper Pedersen, for his invaluable patience and feedback. I could not have undertaken this journey without his help.