Re: Enquiry about TDE with PgSQL - rainer@ultra-secure.de

public inbox for [email protected]  
help / color / mirror / Atom feed

From: [email protected]
To: Bruce Momjian <[email protected]>
Cc: Ken Marshall <[email protected]>
Cc: [email protected]
Subject: Re: Enquiry about TDE with PgSQL
Date: Mon, 03 Nov 2025 16:39:45 +0100
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<CO1PR19MB4984B665A5F9F38A5E0FB5969BF9A@CO1PR19MB4984.namprd19.prod.outlook.com>
	<[email protected]>
	<CAKt_ZfuwPgG_nJHp6S=8k_+NdA6Op7hE0z7+s4-HuBqr1cnwsg@mail.gmail.com>
	<CAG0qCNjd2m9Ej1ZEwuCCkgsqJz0vnso3ZFwjKCxzwUfnfu=SNw@mail.gmail.com>
	<[email protected]>
	<[email protected]>
	<CAKAnmmJ4yRTb-TV=ik0aoEZsWzDzuKRgCjXFfF5DCzR5jiCQdA@mail.gmail.com>
	<[email protected]>
	<[email protected]>
	<[email protected]>

Am 2025-11-03 16:08, schrieb Bruce Momjian:

> Is it the Oracle API they don't like, that Postgres can improve upon, 
> or
> something fundamental they don't like, or don't see the value in?

I am not sure.

It just complicates everything.
Documentation isn't thin, it's skeletal.

And of course, actual support from the HSM-vendor for this use-case is 
non-existent.
Same for Oracle.

They'll both point at each other.

Who'd have thought that.

> As far as I know, there are two ways to generate the data encryption
> key.  One is for the HSM to generate it, and then only the HSM knows 
> it.
> The other method is to create the encryption key on a USB memory stick,
> copy the key into the HSM, and then remove the USB memory stick and
> store it in a secure location like a safe.  The second method seems 
> like
> a better option to me.  Oh, and make a second copy of the USB memory
> stick.

The keys are generated on the HSM.
There's HSM client you've got to install that manages the communication 
to the HSM.

The HSM should be backed up, too. Which is only possible by connecting 
physically to it with a notebook and inserting an USB stick.

Which begs the question: where do you source an USB stick with the same 
trust-level as the 20k-a-pop HSM?

view thread (9+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: Enquiry about TDE with PgSQL
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox