PG-1257 Add functions for principal key removal

artemgavrilov · artemgavrilov · commit 9d965b6f1113 · 2025-05-29T00:29:01.000+02:00
Add SQL functions that allow user to remove principal key.

* Database level principal key can be removed if there are no encrypted tables or if there is default key. For the first case we just drop key map file completely, for the second we perform key rotation.
* Default principal key can be removed if there are no databases that use it.

Fix

Fix
diff --git a/contrib/pg_tde/Makefile b/contrib/pg_tde/Makefile
@@ -26,7 +26,8 @@ toast_decrypt \
 vault_v2_test \
 version \
 default_principal_key \
-create_database
+create_database \
+delete_principal_key
 TAP_TESTS = 1
 endif
 
diff --git a/contrib/pg_tde/expected/default_principal_key.out b/contrib/pg_tde/expected/default_principal_key.out
@@ -146,6 +146,12 @@ SELECT * FROM test_enc;
 (3 rows)
 
 DROP TABLE test_enc;
+SELECT pg_tde_delete_default_key();
+ pg_tde_delete_default_key 
+---------------------------
+ 
+(1 row)
+
 DROP EXTENSION pg_tde CASCADE;
 DROP EXTENSION pg_buffercache;
 DROP DATABASE regress_pg_tde_other;
diff --git a/contrib/pg_tde/expected/delete_principal_key.out b/contrib/pg_tde/expected/delete_principal_key.out
@@ -0,0 +1,116 @@
+CREATE EXTENSION IF NOT EXISTS pg_tde;
+SELECT pg_tde_add_global_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
+ pg_tde_add_global_key_provider_file 
+-------------------------------------
+                                  -7
+(1 row)
+
+-- Set the local key and delete it without any encrypted tables
+-- Should succeed: nothing used the key
+SELECT pg_tde_set_key_using_global_key_provider('test-db-key','file-vault');
+ pg_tde_set_key_using_global_key_provider 
+------------------------------------------
+ 
+(1 row)
+
+SELECT key_provider_id, key_provider_name, key_name FROM pg_tde_key_info();
+ key_provider_id | key_provider_name |  key_name   
+-----------------+-------------------+-------------
+              -7 | file-vault        | test-db-key
+(1 row)
+
+SELECT pg_tde_delete_key();
+ pg_tde_delete_key 
+-------------------
+ 
+(1 row)
+
+-- Set local key, encrypt a table, and delete the key
+-- Should fail: the is no default key to fallback
+SELECT pg_tde_set_key_using_global_key_provider('test-db-key','file-vault');
+ pg_tde_set_key_using_global_key_provider 
+------------------------------------------
+ 
+(1 row)
+
+CREATE TABLE test_table (id int, data text) USING tde_heap;
+SELECT pg_tde_delete_key();
+ERROR:  Cannot delete principal key, there are encrypted tables and default principal key is not set
+HINT:  Use set_key interface to set the default principal key or decrypt all tables before deleting the principal key
+-- Decrypt the table and delete the key
+-- Should succeed: there is no more encrypted tables
+ALTER TABLE test_table SET ACCESS METHOD heap;
+SELECT pg_tde_delete_key();
+ pg_tde_delete_key 
+-------------------
+ 
+(1 row)
+
+-- Set local key, encrypt the table then delete teable and key
+-- Should succeed: the table is deleted and there are no more encrypted tables
+SELECT pg_tde_set_key_using_global_key_provider('test-db-key','file-vault');
+ pg_tde_set_key_using_global_key_provider 
+------------------------------------------
+ 
+(1 row)
+
+ALTER TABLE test_table SET ACCESS METHOD tde_heap;
+DROP TABLE test_table;
+SELECT pg_tde_delete_key();
+ pg_tde_delete_key 
+-------------------
+ 
+(1 row)
+
+-- Set default key, set regular key, create table, delete regular key
+-- Should succeed: regular key will be rotated to default key
+SELECT pg_tde_set_default_key_using_global_key_provider('defalut-key','file-vault');
+ pg_tde_set_default_key_using_global_key_provider 
+--------------------------------------------------
+ 
+(1 row)
+
+SELECT pg_tde_set_key_using_global_key_provider('test-db-key','file-vault');
+ pg_tde_set_key_using_global_key_provider 
+------------------------------------------
+ 
+(1 row)
+
+CREATE TABLE test_table (id int, data text) USING tde_heap;
+SELECT pg_tde_delete_key();
+ pg_tde_delete_key 
+-------------------
+ 
+(1 row)
+
+SELECT key_provider_id, key_provider_name, key_name FROM pg_tde_key_info();
+ key_provider_id | key_provider_name |  key_name   
+-----------------+-------------------+-------------
+              -7 | file-vault        | defalut-key
+(1 row)
+
+-- Try to delete key when default key is used
+-- Should fail: table already uses the default key, so there is no key to fallback to
+SELECT pg_tde_delete_key();
+ERROR:  Cannot delete principal key, there are encrypted tables and default principal key used for the database
+-- Try to delete default key
+-- Should fail: default key is used by the table
+SELECT pg_tde_delete_default_key();
+ERROR:  Cannot delete default principal key, it's used by 16384 database
+HINT:  Use set_key interface to set the database principal key instead of default principal key
+-- Set regular principal key, delete default key
+-- Should succeed: the table will use the regular key
+SELECT pg_tde_set_key_using_global_key_provider('test-db-key','file-vault');
+ pg_tde_set_key_using_global_key_provider 
+------------------------------------------
+ 
+(1 row)
+
+SELECT pg_tde_delete_default_key();
+ pg_tde_delete_default_key 
+---------------------------
+ 
+(1 row)
+
+DROP TABLE test_table;
+DROP EXTENSION pg_tde;
diff --git a/contrib/pg_tde/pg_tde--1.0-rc.sql b/contrib/pg_tde/pg_tde--1.0-rc.sql
@@ -454,6 +454,16 @@ RETURNS VOID
 LANGUAGE C
 AS 'MODULE_PATHNAME';
 
+CREATE FUNCTION pg_tde_delete_key()
+RETURNS VOID
+LANGUAGE C
+AS 'MODULE_PATHNAME';
+
+CREATE FUNCTION pg_tde_delete_default_key()
+RETURNS VOID
+LANGUAGE C
+AS 'MODULE_PATHNAME';
+
 CREATE FUNCTION pg_tde_key_info()
 RETURNS TABLE ( key_name TEXT,
                 key_provider_name TEXT,
diff --git a/contrib/pg_tde/sql/default_principal_key.sql b/contrib/pg_tde/sql/default_principal_key.sql
@@ -81,7 +81,6 @@ SELECT  key_provider_id, key_provider_name, key_name
 SELECT pg_buffercache_evict(bufferid) FROM pg_buffercache WHERE relfilenode = (SELECT relfilenode FROM pg_class WHERE oid = 'test_enc'::regclass);
 
 SELECT * FROM test_enc;
-
 DROP TABLE test_enc;
 
 DROP EXTENSION pg_tde CASCADE;
@@ -94,6 +93,7 @@ SELECT * FROM test_enc;
 
 DROP TABLE test_enc;
 
+SELECT pg_tde_delete_default_key();
 DROP EXTENSION pg_tde CASCADE;
 DROP EXTENSION pg_buffercache;
 
diff --git a/contrib/pg_tde/sql/delete_principal_key.sql b/contrib/pg_tde/sql/delete_principal_key.sql
@@ -0,0 +1,51 @@
+CREATE EXTENSION IF NOT EXISTS pg_tde;
+
+SELECT pg_tde_add_global_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
+
+-- Set the local key and delete it without any encrypted tables
+-- Should succeed: nothing used the key
+SELECT pg_tde_set_key_using_global_key_provider('test-db-key','file-vault');
+SELECT key_provider_id, key_provider_name, key_name FROM pg_tde_key_info();
+SELECT pg_tde_delete_key();
+
+-- Set local key, encrypt a table, and delete the key
+-- Should fail: the is no default key to fallback
+SELECT pg_tde_set_key_using_global_key_provider('test-db-key','file-vault');
+CREATE TABLE test_table (id int, data text) USING tde_heap;
+SELECT pg_tde_delete_key();
+
+-- Decrypt the table and delete the key
+-- Should succeed: there is no more encrypted tables
+ALTER TABLE test_table SET ACCESS METHOD heap;
+SELECT pg_tde_delete_key();
+
+-- Set local key, encrypt the table then delete teable and key
+-- Should succeed: the table is deleted and there are no more encrypted tables
+SELECT pg_tde_set_key_using_global_key_provider('test-db-key','file-vault');
+ALTER TABLE test_table SET ACCESS METHOD tde_heap;
+DROP TABLE test_table;
+SELECT pg_tde_delete_key();
+
+-- Set default key, set regular key, create table, delete regular key
+-- Should succeed: regular key will be rotated to default key
+SELECT pg_tde_set_default_key_using_global_key_provider('defalut-key','file-vault');
+SELECT pg_tde_set_key_using_global_key_provider('test-db-key','file-vault');
+CREATE TABLE test_table (id int, data text) USING tde_heap;
+SELECT pg_tde_delete_key();
+SELECT key_provider_id, key_provider_name, key_name FROM pg_tde_key_info();
+
+-- Try to delete key when default key is used
+-- Should fail: table already uses the default key, so there is no key to fallback to
+SELECT pg_tde_delete_key();
+
+-- Try to delete default key
+-- Should fail: default key is used by the table
+SELECT pg_tde_delete_default_key();
+
+-- Set regular principal key, delete default key
+-- Should succeed: the table will use the regular key
+SELECT pg_tde_set_key_using_global_key_provider('test-db-key','file-vault');
+SELECT pg_tde_delete_default_key();
+
+DROP TABLE test_table;
+DROP EXTENSION pg_tde;
diff --git a/contrib/pg_tde/src/access/pg_tde_tdemap.c b/contrib/pg_tde/src/access/pg_tde_tdemap.c
@@ -544,6 +544,87 @@ pg_tde_perform_rotate_key(TDEPrincipalKey *principal_key, TDEPrincipalKey *new_p
 	}
 }
 
+/*
+ * Checks if the key map file for the given database has any non-empty entries.
+ *
+ * The caller must hold the lock on the files before calling this function.
+*/
+bool
+pg_tde_is_key_map_empty(Oid dbOid)
+{
+	char		path[MAXPGPATH];
+	off_t		pos;
+	int			fd;
+
+	pg_tde_set_db_file_path(dbOid, path);
+
+	fd = pg_tde_open_file_read(path, false, &pos);
+
+	while (1)
+	{
+		TDEMapEntry map_entry;
+
+		if (!pg_tde_read_one_map_entry(fd, &map_entry, &pos))
+			break;
+
+		if (map_entry.type != MAP_ENTRY_EMPTY)
+		{
+			close(fd);
+			return false;
+		}
+	}
+
+	close(fd);
+	return true;
+}
+
+
+void
+pg_tde_delete_principal_key_redo(Oid dbOid)
+{
+	LWLockAcquire(tde_lwlock_enc_keys(), LW_EXCLUSIVE);
+
+	/* This is called during recovery, so no XLog records allowed */
+	pg_tde_delete_principal_key(dbOid, false);
+
+	LWLockRelease(tde_lwlock_enc_keys());
+}
+
+/*
+ * Deletes the principal key for the database. This fucntion checks if key map
+ * file has any entries, and if not, it removes the file. Otherwise raises an error.
+ *
+ * The caller must hold an exclusive lock on the files before calling this function.
+ */
+void
+pg_tde_delete_principal_key(Oid dbOid, bool write_xlog)
+{
+	char		path[MAXPGPATH];
+
+	pg_tde_set_db_file_path(dbOid, path);
+
+	/*
+	 * Check that there aro no local keys in the map file, i.e. nothing is
+	 * encrypted with the principal key.
+	 */
+	if (!pg_tde_is_key_map_empty(dbOid))
+	{
+		ereport(ERROR,
+				errcode(ERRCODE_INTERNAL_ERROR),
+				errmsg("could not delete key, key map file is not empty"));
+	}
+
+	if (write_xlog)
+	{
+		XLogBeginInsert();
+		XLogRegisterData((char *) &dbOid, sizeof(Oid));
+		XLogInsert(RM_TDERMGR_ID, XLOG_TDE_DELETE_PRINCIPAL_KEY);
+	}
+
+	/* Remove whole key map file */
+	durable_unlink(path, ERROR);
+}
+
 /*
  * It's called by seg_write inside crit section so no pallocs, hence
  * needs keyfile_path
diff --git a/contrib/pg_tde/src/access/pg_tde_xlog.c b/contrib/pg_tde/src/access/pg_tde_xlog.c
@@ -67,6 +67,12 @@ tdeheap_rmgr_redo(XLogReaderState *record)
 
 		xl_tde_perform_rotate_key(xlrec);
 	}
+	else if (info == XLOG_TDE_DELETE_PRINCIPAL_KEY)
+	{
+		Oid			dbOid = *((Oid *) XLogRecGetData(record));
+
+		pg_tde_delete_principal_key_redo(dbOid);
+	}
 	else if (info == XLOG_TDE_WRITE_KEY_PROVIDER)
 	{
 		KeyringProviderRecordInFile *xlrec = (KeyringProviderRecordInFile *) XLogRecGetData(record);
diff --git a/contrib/pg_tde/src/catalog/tde_principal_key.c b/contrib/pg_tde/src/catalog/tde_principal_key.c
diff --git a/contrib/pg_tde/src/include/access/pg_tde_tdemap.h b/contrib/pg_tde/src/include/access/pg_tde_tdemap.h
diff --git a/contrib/pg_tde/src/include/access/pg_tde_xlog.h b/contrib/pg_tde/src/include/access/pg_tde_xlog.h

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,12 @@ tdeheap_rmgr_redo(XLogReaderState *record)`
`67`	`67`
`68`	`68`	`xl_tde_perform_rotate_key(xlrec);`
`69`	`69`	`}`
	`70`	`+ else if (info == XLOG_TDE_DELETE_PRINCIPAL_KEY)`
	`71`	`+ {`
	`72`	`+ Oid dbOid = ((Oid ) XLogRecGetData(record));`
	`73`	`+`
	`74`	`+ pg_tde_delete_principal_key_redo(dbOid);`
	`75`	`+ }`
`70`	`76`	`else if (info == XLOG_TDE_WRITE_KEY_PROVIDER)`
`71`	`77`	`{`
`72`	`78`	`KeyringProviderRecordInFile xlrec = (KeyringProviderRecordInFile ) XLogRecGetData(record);`