Timur Kristóf wrote:
Hi,
> I've recently added support for page-level encryption to LMDB 1.x
> using user-supplied callbacks
That does sound cool. :)
> One question is whether we should actually make this pluggable like
> this, or
> we should just hardcode support for a specific algorithm and leave it
> at that.
I vote on keeping it pluggable, so every crypograpy nut out there can
use their favourite mechanism.
Yeah, that's still my inclination as well. And yes, there's a reference
chacha20 implementation already, which I've been using for testing.
> One
> complication is that if the algorithm is actually user-selectable, we
> need to
> dynamically adjust DB page layouts to accommodate different nonce/IV
> and
> signature sizes. (Currently MDB_page metadata is a statically
> defined
> structure. A dynamic size element here will make processing slower.)
What if page size would still be static, but that static size would be
user-defined on a per-environment basis?
We sort of support that already, allowing page sizes larger than the OS
pagesize to be used. So I guess it's not too big of a change.
Question: will this affect performance on non-encrypted databases?
Ideally, not. ;) It's a bit early to tell.
Anyway, the API I originally quoted needs to be tweaked to accomodate the
authentication signature support so this is all still in flux.
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/