[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LMDB encryption support

Timur Kristóf wrote:

I've recently added support for page-level encryption to LMDB 1.x
using user-supplied callbacks

That does sound cool. :)

One question is whether we should actually make this pluggable like
this, or
we should just hardcode support for a specific algorithm and leave it
at that.

I vote on keeping it pluggable, so every crypograpy nut out there can
use their favourite mechanism.

Yeah, that's still my inclination as well. And yes, there's a reference chacha20 implementation already, which I've been using for testing.

complication is that if the algorithm is actually user-selectable, we
need to
dynamically adjust DB page layouts to accommodate different nonce/IV
signature sizes. (Currently MDB_page metadata is a statically
structure. A dynamic size element here will make processing slower.)

What if page size would still be static, but that static size would be
user-defined on a per-environment basis?

We sort of support that already, allowing page sizes larger than the OS pagesize to be used. So I guess it's not too big of a change.

Question: will this affect performance on non-encrypted databases?

Ideally, not. ;)  It's a bit early to tell.

Anyway, the API I originally quoted needs to be tweaked to accomodate the authentication signature support so this is all still in flux.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/