Re: Enquiry about TDE with PgSQL

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Christophe Pettus <[email protected]>
To: Clay Jackson (cjackson) <[email protected]>
Cc: Bruce Momjian <[email protected]>
Cc: pgsql-general <[email protected]>
Cc: Kai Wagner <[email protected]>
Cc: Laurenz Albe <[email protected]>
Cc: Ron Johnson <[email protected]>
Subject: Re: Enquiry about TDE with PgSQL
Date: Fri, 31 Oct 2025 18:35:52 -0700
Message-ID: <[email protected]> (raw)
In-Reply-To: <CO1PR19MB4984B665A5F9F38A5E0FB5969BF9A@CO1PR19MB4984.namprd19.prod.outlook.com>
References: <CACgMzfwSDRF+kQr59h0-xGUobCeFZxwVzE_tUxF18DkVb+vuDQ@mail.gmail.com>
	<CAKAnmmKDCOdUT5JtJZz5papMO0zW1cnG4934d6aQVCQ_KdbUeg@mail.gmail.com>
	<CANzqJaA41CzNjkiQex+A0u9z11i6R3WQZJ+fkXfJO7VJwOMWzg@mail.gmail.com>
	<[email protected]>
	<[email protected]>
	<CAG0qCNhL=SEB4vc4v48PxN1F-t8htC463TpX7KDNWQ-s3s8dtA@mail.gmail.com>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<CO1PR19MB4984B665A5F9F38A5E0FB5969BF9A@CO1PR19MB4984.namprd19.prod.outlook.com>

On Oct 31, 2025, at 17:24, Clay Jackson (cjackson) <[email protected]> wrote:
> 
> I can't disagree - but the question them becomes, as Markus and other have pointed out; would that allow a customer/user to check the "Encryption" box for PCI or any other "compliance review"

The answer is: it depends (doesn't it always?).  Doing secure column-level encryption meets the PCI standard, and a competent PCI auditor will know that.  However, TDE has this cache as being "the way one does it," and if the organization is that way, it's hard to move them off of it.

As a sign of how the PCI world views TDE, at least one of the major credit card associations does not use it, and they have literally everyone's credit card number, with expiration date and CVV, sitting on their disks.

view thread (36+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Enquiry about TDE with PgSQL
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox