Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1vF0Xe-005wQ8-9s for pgsql-general@arkaria.postgresql.org; Sat, 01 Nov 2025 01:36:29 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1vF0Xd-002aTM-AI for pgsql-general@arkaria.postgresql.org; Sat, 01 Nov 2025 01:36:28 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1vF0Xc-002aTE-VS for pgsql-general@lists.postgresql.org; Sat, 01 Nov 2025 01:36:27 +0000 Received: from smtp125.iad3a.emailsrvr.com ([173.203.187.125]) by magus.postgresql.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vF0XZ-005LOp-1t for pgsql-general@postgresql.org; Sat, 01 Nov 2025 01:36:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=g001.emailsrvr.com; s=feedback; t=1761960983; bh=n3Zfkd5Uh5dGVM7t9lWccxxgVvC6+9yxF4RxTo3Ca68=; h=Subject:From:Date:To:From; b=QT0aMOMspCek47P0doSLPXli4fYH5pJpjtq8NrZpM75yau1ojwH1+lA3QSs552+GS i6J4UMx3Q27+0/Z2r98g9cEPubwz9065GBaOoukOXMm2BXXXx/It3ec2sTPDeWtU/P d0/cx4ppltIBXI+VIE5YBjY3bkNVU45rkKJeYILE= X-Auth-ID: xof@thebuild.com Received: by smtp32.relay.iad3a.emailsrvr.com (Authenticated sender: xof-AT-thebuild.com) with ESMTPSA id 188775C65; Fri, 31 Oct 2025 21:36:23 -0400 (EDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51.11.4\)) Subject: Re: Enquiry about TDE with PgSQL From: Christophe Pettus In-Reply-To: Date: Fri, 31 Oct 2025 18:35:52 -0700 Cc: Bruce Momjian , pgsql-general , Kai Wagner , Laurenz Albe , Ron Johnson Content-Transfer-Encoding: quoted-printable Message-Id: <3DC589BC-A5F6-49BC-BFFC-F1FCB0FF7E95@thebuild.com> References: To: "Clay Jackson (cjackson)" X-Mailer: Apple Mail (2.3776.700.51.11.4) X-Classification-ID: f1d4b01b-a57b-4db6-b4b6-d332eb5c713b-1-1 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Oct 31, 2025, at 17:24, Clay Jackson (cjackson) = wrote: >=20 > I can't disagree - but the question them becomes, as Markus and other = have pointed out; would that allow a customer/user to check the = "Encryption" box for PCI or any other "compliance review" The answer is: it depends (doesn't it always?). Doing secure = column-level encryption meets the PCI standard, and a competent PCI = auditor will know that. However, TDE has this cache as being "the way = one does it," and if the organization is that way, it's hard to move = them off of it. As a sign of how the PCI world views TDE, at least one of the major = credit card associations does not use it, and they have literally = everyone's credit card number, with expiration date and CVV, sitting on = their disks.=