PG-1257 Add function for principal key removal

artemgavrilov · artemgavrilov · commit 179f5d727bcf · 2025-05-28T17:49:12.000+02:00
Add SQL function that allow user to remove principal key. Principal key
can be removed if there are no encrypted tables or if there is default
key. For the first case we just drop key map file completely, for
the second we perfom key rotation.
diff --git a/contrib/pg_tde/expected/delete_principal_key.out b/contrib/pg_tde/expected/delete_principal_key.out
@@ -0,0 +1,97 @@
+CREATE EXTENSION IF NOT EXISTS pg_tde;
+SELECT pg_tde_add_global_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
+ pg_tde_add_global_key_provider_file 
+-------------------------------------
+                                  -1
+(1 row)
+
+-- Set the local key and delete it without any encrypted tables
+-- Should succeed, nothing used the key
+SELECT pg_tde_set_key_using_global_key_provider('test-db-key','file-vault');
+ pg_tde_set_key_using_global_key_provider 
+------------------------------------------
+ 
+(1 row)
+
+SELECT key_provider_id, key_provider_name, key_name FROM pg_tde_key_info();
+ key_provider_id | key_provider_name |  key_name   
+-----------------+-------------------+-------------
+              -1 | file-vault        | test-db-key
+(1 row)
+
+SELECT pg_tde_delete_key();
+ pg_tde_delete_key 
+-------------------
+ 
+(1 row)
+
+-- Set local key, encrypt a table, and delete the key
+-- Should fail, the is no default key to fallback
+SELECT pg_tde_set_key_using_global_key_provider('test-db-key','file-vault');
+ pg_tde_set_key_using_global_key_provider 
+------------------------------------------
+ 
+(1 row)
+
+CREATE TABLE test_table (id int, data text) USING tde_heap;
+SELECT pg_tde_delete_key();
+ERROR:  Cannot delete principal key, there are encrypted tables and default principal key is not set
+HINT:  Use set_key interface to set the default principal key or decrypt all tables before deleting the principal key
+-- Decrypt the table and delete the key
+-- Should succeed, there is no more encrypted tables
+ALTER TABLE test_table SET ACCESS METHOD heap;
+SELECT pg_tde_delete_key();
+ pg_tde_delete_key 
+-------------------
+ 
+(1 row)
+
+-- Set local key, encrypt the table then delete teable and key
+-- Should succeed, the table is deleted and there are no more encrypted tables
+SELECT pg_tde_set_key_using_global_key_provider('test-db-key','file-vault');
+ pg_tde_set_key_using_global_key_provider 
+------------------------------------------
+ 
+(1 row)
+
+ALTER TABLE test_table SET ACCESS METHOD tde_heap;
+DROP TABLE test_table;
+SELECT pg_tde_delete_key();
+ pg_tde_delete_key 
+-------------------
+ 
+(1 row)
+
+-- Set default key, set regular key, create table, delete regular key
+-- Should succeed, regular key will be rotated to default key
+SELECT pg_tde_set_default_key_using_global_key_provider('defalut-key','file-vault');
+ pg_tde_set_default_key_using_global_key_provider 
+--------------------------------------------------
+ 
+(1 row)
+
+SELECT pg_tde_set_key_using_global_key_provider('test-db-key','file-vault');
+ pg_tde_set_key_using_global_key_provider 
+------------------------------------------
+ 
+(1 row)
+
+CREATE TABLE test_table (id int, data text) USING tde_heap;
+SELECT pg_tde_delete_key();
+ pg_tde_delete_key 
+-------------------
+ 
+(1 row)
+
+SELECT key_provider_id, key_provider_name, key_name FROM pg_tde_key_info();
+ key_provider_id | key_provider_name |  key_name   
+-----------------+-------------------+-------------
+              -1 | file-vault        | defalut-key
+(1 row)
+
+-- Try to delete key when default key is used
+-- Should fail, table already uses the default key, so there is no key to fallback to
+SELECT pg_tde_delete_key();
+ERROR:  Cannot delete principal key, there are encrypted tables and default principal key used for the database
+DROP TABLE test_table;
+DROP EXTENSION pg_tde;
diff --git a/contrib/pg_tde/pg_tde--1.0-rc.sql b/contrib/pg_tde/pg_tde--1.0-rc.sql
@@ -454,6 +454,11 @@ RETURNS VOID
 LANGUAGE C
 AS 'MODULE_PATHNAME';
 
+CREATE FUNCTION pg_tde_delete_key()
+RETURNS VOID
+LANGUAGE C
+AS 'MODULE_PATHNAME';
+
 CREATE FUNCTION pg_tde_key_info()
 RETURNS TABLE ( key_name TEXT,
                 key_provider_name TEXT,
diff --git a/contrib/pg_tde/sql/delete_principal_key.sql b/contrib/pg_tde/sql/delete_principal_key.sql
@@ -0,0 +1,42 @@
+CREATE EXTENSION IF NOT EXISTS pg_tde;
+
+SELECT pg_tde_add_global_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
+
+-- Set the local key and delete it without any encrypted tables
+-- Should succeed, nothing used the key
+SELECT pg_tde_set_key_using_global_key_provider('test-db-key','file-vault');
+SELECT key_provider_id, key_provider_name, key_name FROM pg_tde_key_info();
+SELECT pg_tde_delete_key();
+
+-- Set local key, encrypt a table, and delete the key
+-- Should fail, the is no default key to fallback
+SELECT pg_tde_set_key_using_global_key_provider('test-db-key','file-vault');
+CREATE TABLE test_table (id int, data text) USING tde_heap;
+SELECT pg_tde_delete_key();
+
+-- Decrypt the table and delete the key
+-- Should succeed, there is no more encrypted tables
+ALTER TABLE test_table SET ACCESS METHOD heap;
+SELECT pg_tde_delete_key();
+
+-- Set local key, encrypt the table then delete teable and key
+-- Should succeed, the table is deleted and there are no more encrypted tables
+SELECT pg_tde_set_key_using_global_key_provider('test-db-key','file-vault');
+ALTER TABLE test_table SET ACCESS METHOD tde_heap;
+DROP TABLE test_table;
+SELECT pg_tde_delete_key();
+
+-- Set default key, set regular key, create table, delete regular key
+-- Should succeed, regular key will be rotated to default key
+SELECT pg_tde_set_default_key_using_global_key_provider('defalut-key','file-vault');
+SELECT pg_tde_set_key_using_global_key_provider('test-db-key','file-vault');
+CREATE TABLE test_table (id int, data text) USING tde_heap;
+SELECT pg_tde_delete_key();
+SELECT key_provider_id, key_provider_name, key_name FROM pg_tde_key_info();
+
+-- Try to delete key when default key is used
+-- Should fail, table already uses the default key, so there is no key to fallback to
+SELECT pg_tde_delete_key();
+
+DROP TABLE test_table;
+DROP EXTENSION pg_tde;
diff --git a/contrib/pg_tde/src/access/pg_tde_tdemap.c b/contrib/pg_tde/src/access/pg_tde_tdemap.c
@@ -544,6 +544,87 @@ pg_tde_perform_rotate_key(TDEPrincipalKey *principal_key, TDEPrincipalKey *new_p
 	}
 }
 
+/*
+ * Checks if the key map file for the given database has any non-empty entries.
+ *
+ * The caller must hold the lock on the files before calling this function.
+*/
+bool
+pg_tde_is_key_map_empty(Oid dbOid)
+{
+	char		path[MAXPGPATH];
+	off_t		pos;
+	int			fd;
+
+	pg_tde_set_db_file_path(dbOid, path);
+
+	fd = pg_tde_open_file_read(path, false, &pos);
+
+	while (1)
+	{
+		TDEMapEntry map_entry;
+
+		if (!pg_tde_read_one_map_entry(fd, &map_entry, &pos))
+			break;
+
+		if (map_entry.type != MAP_ENTRY_EMPTY)
+		{
+			close(fd);
+			return false;
+		}
+	}
+
+	close(fd);
+	return true;
+}
+
+
+void
+pg_tde_delete_principal_key_redo(Oid dbOid)
+{
+	LWLockAcquire(tde_lwlock_enc_keys(), LW_EXCLUSIVE);
+
+	/* This is called during recovery, so no XLog records allowed */
+	pg_tde_delete_principal_key(dbOid, false);
+
+	LWLockRelease(tde_lwlock_enc_keys());
+}
+
+/*
+ * Deletes the principal key for the database. This fucntion checks if key map
+ * file has any entries, and if not, it removes the file. Otherwise raises an error.
+ *
+ * The caller must hold an exclusive lock on the files before calling this function.
+ */
+void
+pg_tde_delete_principal_key(Oid dbOid, bool write_xlog)
+{
+	char		path[MAXPGPATH];
+
+	pg_tde_set_db_file_path(dbOid, path);
+
+	/*
+	 * Check that there aro no local keys in the map file, i.e. nothing is
+	 * encrypted with the principal key.
+	 */
+	if (!pg_tde_is_key_map_empty(dbOid))
+	{
+		ereport(ERROR,
+				errcode(ERRCODE_INTERNAL_ERROR),
+				errmsg("could not delete key, key map file is not empty"));
+	}
+
+	if (write_xlog)
+	{
+		XLogBeginInsert();
+		XLogRegisterData((char *) &dbOid, sizeof(Oid));
+		XLogInsert(RM_TDERMGR_ID, XLOG_TDE_DELETE_PRINCIPAL_KEY);
+	}
+
+	/* Remove whole key map file */
+	durable_unlink(path, ERROR);
+}
+
 /*
  * It's called by seg_write inside crit section so no pallocs, hence
  * needs keyfile_path
diff --git a/contrib/pg_tde/src/access/pg_tde_xlog.c b/contrib/pg_tde/src/access/pg_tde_xlog.c
@@ -67,6 +67,12 @@ tdeheap_rmgr_redo(XLogReaderState *record)
 
 		xl_tde_perform_rotate_key(xlrec);
 	}
+	else if (info == XLOG_TDE_DELETE_PRINCIPAL_KEY)
+	{
+		Oid			dbOid = *((Oid *) XLogRecGetData(record));
+
+		pg_tde_delete_principal_key_redo(dbOid);
+	}
 	else if (info == XLOG_TDE_WRITE_KEY_PROVIDER)
 	{
 		KeyringProviderRecordInFile *xlrec = (KeyringProviderRecordInFile *) XLogRecGetData(record);
diff --git a/contrib/pg_tde/src/catalog/tde_principal_key.c b/contrib/pg_tde/src/catalog/tde_principal_key.c
@@ -35,6 +35,8 @@
 #ifndef FRONTEND
 #include "access/genam.h"
 #include "access/table.h"
+#include "access/tableam.h"
+#include "access/heapam.h"
 #include "common/pg_tde_shmem.h"
 #include "funcapi.h"
 #include "lib/dshash.h"
@@ -101,11 +103,13 @@ static void set_principal_key_with_keyring(const char *key_name,
 										   Oid dbOid,
 										   bool ensure_new_key);
 static bool pg_tde_verify_principal_key_internal(Oid databaseOid);
+static void pg_tde_rotate_default_key_for_database(TDEPrincipalKey *oldKey, TDEPrincipalKey *newKeyTemplate);
 
 PG_FUNCTION_INFO_V1(pg_tde_set_default_key_using_global_key_provider);
 PG_FUNCTION_INFO_V1(pg_tde_set_key_using_database_key_provider);
 PG_FUNCTION_INFO_V1(pg_tde_set_key_using_global_key_provider);
 PG_FUNCTION_INFO_V1(pg_tde_set_server_key_using_global_key_provider);
+PG_FUNCTION_INFO_V1(pg_tde_delete_key);
 
 static void pg_tde_set_principal_key_internal(Oid providerOid, Oid dbOid, const char *principal_key_name, const char *provider_name, bool ensure_new_key);
 
@@ -594,6 +598,68 @@ pg_tde_set_principal_key_internal(Oid providerOid, Oid dbOid, const char *key_na
 	}
 }
 
+
+/*
+ * SQL interface to delete principal key.
+ *
+ * This operation allowed if there is no any encrypted tables in the database or
+ * if the default principal key is set for the database. In second case,
+ * key for database rotated to the default key.
+ */
+
+Datum
+pg_tde_delete_key(PG_FUNCTION_ARGS)
+{
+	TDEPrincipalKey *principal_key;
+	TDEPrincipalKey *default_principal_key;
+
+	LWLockAcquire(tde_lwlock_enc_keys(), LW_EXCLUSIVE);
+
+	principal_key = GetPrincipalKeyNoDefault(MyDatabaseId, LW_EXCLUSIVE);
+	if (principal_key == NULL)
+	{
+		ereport(ERROR,
+				errmsg("Principal key does not exists for the database"),
+				errhint("Use set_key interface to set the principal key"));
+	}
+
+	/*
+	 * If database has something encryted, we can try to fallback to the
+	 * default principal key
+	 */
+	if (!pg_tde_is_key_map_empty(MyDatabaseId))
+	{
+		default_principal_key = GetPrincipalKeyNoDefault(DEFAULT_DATA_TDE_OID, LW_EXCLUSIVE);
+		if (default_principal_key == NULL)
+		{
+			ereport(ERROR,
+					errmsg("Cannot delete principal key, there are encrypted tables and default principal key is not set"),
+					errhint("Use set_key interface to set the default principal key or decrypt all tables before deleting the principal key"));
+		}
+
+		/*
+		 * If database already encrypted with default principal key, there is
+		 * nothing to do
+		 */
+		if (pg_tde_is_same_principal_key(principal_key, default_principal_key))
+		{
+			ereport(ERROR,
+					errmsg("Cannot delete principal key, there are encrypted tables and default principal key used for the database"));
+		}
+
+		pg_tde_rotate_default_key_for_database(principal_key, default_principal_key);
+
+		LWLockRelease(tde_lwlock_enc_keys());
+		PG_RETURN_VOID();
+	}
+
+	pg_tde_delete_principal_key(MyDatabaseId, true);
+	clear_principal_key_cache(MyDatabaseId);
+
+	LWLockRelease(tde_lwlock_enc_keys());
+	PG_RETURN_VOID();
+}
+
 PG_FUNCTION_INFO_V1(pg_tde_key_info);
 Datum
 pg_tde_key_info(PG_FUNCTION_ARGS)
diff --git a/contrib/pg_tde/src/include/access/pg_tde_tdemap.h b/contrib/pg_tde/src/include/access/pg_tde_tdemap.h
@@ -107,6 +107,9 @@ extern bool pg_tde_verify_principal_key_info(TDESignedPrincipalKeyInfo *signed_k
 extern void pg_tde_save_principal_key(const TDEPrincipalKey *principal_key, bool write_xlog);
 extern void pg_tde_save_principal_key_redo(const TDESignedPrincipalKeyInfo *signed_key_info);
 extern void pg_tde_perform_rotate_key(TDEPrincipalKey *principal_key, TDEPrincipalKey *new_principal_key, bool write_xlog);
+extern void pg_tde_delete_principal_key(Oid dbOid, bool write_xlog);
+extern void pg_tde_delete_principal_key_redo(Oid dbOid);
+extern bool pg_tde_is_key_map_empty(Oid dbOid);
 
 const char *tde_sprint_key(InternalKey *k);
 
diff --git a/contrib/pg_tde/src/include/access/pg_tde_xlog.h b/contrib/pg_tde/src/include/access/pg_tde_xlog.h
@@ -17,6 +17,7 @@
 #define XLOG_TDE_ROTATE_PRINCIPAL_KEY	0x20
 #define XLOG_TDE_WRITE_KEY_PROVIDER 	0x30
 #define XLOG_TDE_INSTALL_EXTENSION		0x40
+#define XLOG_TDE_DELETE_PRINCIPAL_KEY	0x50
 
 /* ID 140 is registered for Percona TDE extension: https://wiki.postgresql.org/wiki/CustomWALResourceManagers */
 #define RM_TDERMGR_ID	140

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,12 @@ tdeheap_rmgr_redo(XLogReaderState *record)`
`67`	`67`
`68`	`68`	`xl_tde_perform_rotate_key(xlrec);`
`69`	`69`	`}`
	`70`	`+ else if (info == XLOG_TDE_DELETE_PRINCIPAL_KEY)`
	`71`	`+ {`
	`72`	`+ Oid dbOid = ((Oid ) XLogRecGetData(record));`
	`73`	`+`
	`74`	`+ pg_tde_delete_principal_key_redo(dbOid);`
	`75`	`+ }`
`70`	`76`	`else if (info == XLOG_TDE_WRITE_KEY_PROVIDER)`
`71`	`77`	`{`
`72`	`78`	`KeyringProviderRecordInFile xlrec = (KeyringProviderRecordInFile ) XLogRecGetData(record);`