9:56 a.m.
I'm evaluating LMDB, and one feature we consider important is file-level encryption.
The memory-mapped, zero-copy nature of LMDB would seem to be incompatible with encryption,
but there is a tantalizing post from Howard Chu two years ago:
• To: "OpenLDAP-devel(a)openldap.org"
<OpenLDAP-devel(a)openldap.org>
• Subject: LMDB encryption support
• From: Howard Chu <hyc(a)symas.com>
• Date: Thu, 10 Aug 2017 16:55:57 +0100
I've recently added support for page-level encryption to LMDB 1.x
using user-supplied callbacks:
( https://www.openldap.org/lists/openldap-devel/201708/msg00002.html
<https://www.openldap.org/lists/openldap-devel/201708/msg00002.html> )
However, the API shown in the email is not present in mainline LMDB (0.9.24), nor can I
find it in a branch in the Git repository. Was this an abandoned experiment? Or is it only
available with a commercial license (as is SQLite's encryption extension?)
(Whether or not this feature still exists, I'm curious about how it was implemented.
It seems like it would either require some kind of kernel-level support for hooking into
the VM pager to rewrite pages after they're faulted in, or else not using
memory-mapping at all and going with a page-cache a la SQLite.)
Thanks,
—Jens
1:11 p.m.
Jens Alfke wrote:
I'm evaluating LMDB, and one feature we consider important is
file-level encryption. The memory-mapped, zero-copy nature of LMDB would seem to be
incompatible
with encryption, but there is a tantalizing post from Howard Chu two years ago:
> • To: "OpenLDAP-devel(a)openldap.org
<mailto:OpenLDAP-devel@openldap.org>" <OpenLDAP-devel(a)openldap.org>
> • Subject: LMDB encryption support
> • From: Howard Chu <hyc(a)symas.com <mailto:hyc@symas.com>>
> • Date: Thu, 10 Aug 2017 16:55:57 +0100
>
> I've recently added support for page-level encryption to LMDB 1.x
using user-supplied callbacks:
( https://www.openldap.org/lists/openldap-devel/201708/msg00002.html )
However, the API shown in the email is not present in mainline LMDB (0.9.24), nor can I
find it in a branch in the Git repository. Was this an abandoned
experiment? Or is it only available with a commercial license (as is SQLite's
encryption extension?)
It's in a private branch, for closed-source licensees. But we'll be opening it up
soon.
(Whether or not this feature still exists, I'm curious about how
it was implemented. It seems like it would either require some kind of kernel-level
support for
hooking into the VM pager to rewrite pages after they're faulted in, or else not
using memory-mapping at all and going with a page-cache a la SQLite.)
Yes it requires LMDB to manage cached pages. I'm not too fond of that, but there was
no other way.
Thanks,
—Jens
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
1456
days inactive
1457
days old
openldap-technical@openldap.org
1 comments
2 participants
participants (2)
-
Howard Chu -
Jens Alfke