[robszumski]

I'm building the "in-use" part of this right now...what if you could encrypt your data with an encryption key (at-rest), but also to a set of code that is allowed to decrypt it (in-use). If that code is identified cryptographically, its identity can't be spoofed or stolen.

We're exploring secure enclaves as the protected runtime env and the code attestation generation: https://github.com/edgebitio/enclaver

This post has made me add pgsodium to my reading list :)

[michelpp]

One benefit of the approach we are taking is that you can use regular Postgres security rules and policies (GRANTs, RLS, etc) to constrain access to decrypted secrets. It's not quite going all the way to encrypted VMs, but it's better than all or nothing.

Secure enclaves is something that is on our list, one issue we have is that so many of our components we ship are extensions and open source projects, attestation becomes very hard. We've considered a very, very minimal postgres build with almost no extensions enabled except pgsodium, which would run on an encrypted VM purely for the purposes of secret storage, but then "in-use" becomes rather restricted. Definitely open to hearing any ideas you may have on the subject!