Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PG-1013 Added build comparison table, moved features from index to comparison #280

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

nastena1606
Copy link
Collaborator

…mpaison

Copy link

github-actions bot commented Sep 16, 2024

Performance test results:
Normal queries: 9266
TDE queries: 8540
Percentage: 92%
CSV entries: 1010312 pp-2019.csv
Sequential scan read times

HEAP: 1100.391
TDE: 1321.890 (120%)
TDE_BASIC: 1321.890 (156%)

@nastena1606 nastena1606 added the documentation Improvements or additions to documentation label Sep 18, 2024
documentation/docs/features.md Outdated Show resolved Hide resolved
documentation/docs/features.md Outdated Show resolved Hide resolved
documentation/docs/features.md Outdated Show resolved Hide resolved
documentation/docs/features.md Outdated Show resolved Hide resolved
documentation/docs/features.md Outdated Show resolved Hide resolved
@nastena1606 nastena1606 marked this pull request as ready for review December 4, 2024 13:57
| Table encryption: <br> - data tables, <br> - TOAST tables <br> - temporary tables created during the database operation.<br><br> Metadata of those tables is not encrypted. | Table encryption: <br> - data tables, <br> - TOAST tables <br> - temporary tables created during the database operation.<br> - Index data for encrypted tables<br><br> Metadata of those tables is not encrypted. |
| Write-Ahead Log (WAL) encryption of data in encrypted tables | Write-Ahead Log (WAL) encryption of data for encrypted and non-encrypted tables |
| Multi-tenancy support| Multi-tenancy support |
| | Global principal key management |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd skip "Global principal key management" in this table - it's a necessity for the full WAL encryption rather than a feature.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated


| PostgreSQL Community version | Percona Server for PostgreSQL version <br> |
|----------------------|-------------------------------|
| Table encryption: <br> - data tables, <br> - TOAST tables <br> - temporary tables created during the database operation.<br><br> Metadata of those tables is not encrypted. | Table encryption: <br> - data tables, <br> - TOAST tables <br> - temporary tables created during the database operation.<br> - Index data for encrypted tables<br><br> Metadata of those tables is not encrypted. |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd stress somehow "Index data for encrypted tables" (bold text or else) because this is the main reason we started this gig but currently, it's visually concealed among other things in the table

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. Updated, moved to the top in the list

* Added event triggers to identify index creation operations on encrypted tables and store those in a custom storage
* Exposed Storage Manager API and added the usage of Initialization vector (IV) in it.
* Added support for secure transfer of keys using the [OASIS Key Management Interoperability Protocol (KMIP)](https://docs.oasis-open.org/kmip/kmip-spec/v2.0/os/kmip-spec-v2.0-os.html). The KMIP implementation was tested with the PyKMIP server and the HashiCorp Vault Enterprise KMIP Secrets Engine.
* Added the `pg_tde_alter_principal_key_keyring('new-provider-name')`function, which copies the principal key to the specified new provider
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically speaking, this function doesn't copy the key it just makes it possible to change the key's keyring provider. So the user would have to add a new provider (if it's not in the system yet) and copy the key there "manually" before calling this function...

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How to copy the key? I'm about to add this instrcution to the release notes item

* Improved memory usage of `tde_heap_basic `during sequential reads
* Improved `tde_heap_basic` for select statements
* Added encryption support for (some) command line utilities
* JSON data is now handled with internal postgres JSON parser instead of jsonc
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the same as "Keyring configuration now uses common JSON API. This simplifies code handling and enables frontend tools like pg_waldump to read the code thus improving debugging."

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants