does anyone know where there are some
# spicedbu
Unhinged
06/16/2023, 9:09 AMdoes anyone know where there are some documentation on how to set up SpiceDB to use Postgres with client side coloum encryption using pgcrypto ?
v
vroldanbet
06/16/2023, 10:43 AM👋I haven't seen this pop up before, maybe the other folks have. Are you thinking of encrypting the resource or subject IDs client-side? I don't think SpiceDB would be able to compute the results without the ability to decrypt those values, and I'm not sure if that would defeat whatever you were trying to achieve with column encryption. And if somehow you'd be ok with that, SpiceDB would have to reencrypt those values. Even the request payload to SpiceDB would have to be encrypted. I don't think this can work without some previous engineering.
y
yetitwo
06/16/2023, 7:04 PMalso what's the use case? there isn't (or shouldn't be) PII or any other sensitive form of information in the SpiceDB store
u
Unhinged
06/19/2023, 6:39 AMThe usecase is a litlle odd, Our vendor can supply a managed postgress DB, but not with sevrverside encryption, We on the other hand encrypt any storage at rest as a global policy, Hence only various client-side encryption is left. pgcrypto is the normal way to go about it, but it requires that the client ( here SpiceDB) can send the a key along in every call to pgencrypt which in turn will call postgress.
v
vroldanbet
06/19/2023, 7:57 AMI see. If this is a matter of something we can configure in the
pgxu
Unhinged
06/21/2023, 6:52 AMAt rest would only be the postgress DB on disk not the working mem of the spiceDB service. It seems that we need to test this to see if it could work out
v
vroldanbet
06/21/2023, 10:10 AMas noted, if this is something that can be transparently handled by pgx, SpiceDB can probably support it out of the box or with minimal changes