Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tsnQl-005dWH-V5
	for pgsql-general@arkaria.postgresql.org; Thu, 13 Mar 2025 18:37:20 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tsnQk-002li4-MX
	for pgsql-general@arkaria.postgresql.org; Thu, 13 Mar 2025 18:37:18 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <jgdr@dalibo.com>)
	id 1tsnQk-002lgP-AP
	for pgsql-general@lists.postgresql.org; Thu, 13 Mar 2025 18:37:18 +0000
Received: from mail1.dalibo.net ([51.159.93.128] helo=mail.dalibo.com)
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <jgdr@dalibo.com>)
	id 1tsnQg-002hAN-2y
	for pgsql-general@lists.postgresql.org;
	Thu, 13 Mar 2025 18:37:17 +0000
Received: from karst (82-65-23-130.subs.proxad.net [82.65.23.130])
	by mail.dalibo.com (Postfix) with ESMTPSA id DD9A727EF8;
	Thu, 13 Mar 2025 19:37:14 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dalibo.com; s=a;
	t=1741891034; bh=y/N8EjcFCoQ5/OpsrwymXZGJoS/UftZH8lOybQIvMK4=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
	b=iimskfz9Z6f318TACHhhCmQeHl4VOaElh8ZMewXs1Obuc9Yyv/wF5w+wpIi5KJF6n
	 Q/dp+ajN3Lyoa1TwXwB1iNhtFztI2yS86Evdxb/xU8Mv/BMfg1GBpq2uYOO5XwOYdU
	 FzrvwBKuiWvjQbSrr27D8CfFj+dOrEpO0Ul81v3g=
Date: Thu, 13 Mar 2025 19:37:14 +0100
From: Jehan-Guillaume de Rorthais <jgdr@dalibo.com>
To: Ron Johnson <ronljohnsonjr@gmail.com>
Cc: "pgsql-generallists.postgresql.org" <pgsql-general@lists.postgresql.org>
Subject: Re: hide data from admins
Message-ID: <20250313193714.27810bba@karst>
In-Reply-To: <CANzqJaBUFoVZw+AS9Rc4OQ67NNzzsPdLvD2SSb8J9KpR=kXogQ@mail.gmail.com>
References: <CAC5iy63SkK=C2f4Z+C9110brQPKEGLxpOn8fLnPs4A2vsMmpAA@mail.gmail.com>
	<CANzqJaBUFoVZw+AS9Rc4OQ67NNzzsPdLvD2SSb8J9KpR=kXogQ@mail.gmail.com>
Organization: Dalibo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/20250313193714.27810bba%40karst>
Precedence: bulk

Le Tue, 11 Mar 2025 22:03:50 -0400,
Ron Johnson <ronljohnsonjr@gmail.com> a =C3=A9crit :

> On Tue, Mar 11, 2025 at 9:48=E2=80=AFPM Siraj G <tosiraj.g@gmail.com> wro=
te:
>=20
> > Hello Experts!
> >
> > What are the features available in Postgresql to hide PII (personal
> > identifiable information) from the Admin team? Like in Oracle we have d=
ata
> > vault and data redaction, I am looking for similar features in
> > PostgreSQL.We do not want to do code level changes.
>=20
> Look at pgsodium.  However, "no code level changes" is code for at-rest
> encryption.

Unless I'm wrong, pgsodium will not protect you from Admin team. The "postg=
res"
role will always be able to read your keys or meta-data to derive them from=
 the
master key if they are stored inside the database=E2=80=A6 and root might b=
e able to
scan the memory to find the master key I suppose.

Storing the keys outisde the database means code level change.

Your best bet would be the Transparent Column Encryption patch, but it is
stalled for one year.

In last resort, I suppose selinux/sepgsql machinery can lock everything the=
 way
you want, even without encryption=E2=80=A6

good luck.