Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1vFHsj-00A9aF-OM for pgsql-general@arkaria.postgresql.org; Sat, 01 Nov 2025 20:07:25 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1vFHsf-0072vO-Tv for pgsql-general@arkaria.postgresql.org; Sat, 01 Nov 2025 20:07:20 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1vFHsf-0072vG-IN for pgsql-general@lists.postgresql.org; Sat, 01 Nov 2025 20:07:20 +0000 Received: from connect.ultra-secure.de ([88.198.71.201]) by magus.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vFHsb-005T1k-34 for pgsql-general@postgresql.org; Sat, 01 Nov 2025 20:07:19 +0000 Received: (Haraka outbound); Sat, 01 Nov 2025 21:07:16 +0100 Authentication-Results: connect.ultra-secure.de; auth=pass (plain); spf=softfail smtp.mailfrom=ultra-secure.de Received-SPF: SoftFail (connect.ultra-secure.de: domain of ultra-secure.de does not designate 212.71.103.5 as permitted sender) receiver=connect.ultra-secure.de; identity=mailfrom; client-ip=212.71.103.5; helo=smtpclient.apple; envelope-from= Received-SPF: None (connect.ultra-secure.de: domain of smtpclient.apple does not designate 212.71.103.5 as permitted sender) receiver=connect.ultra-secure.de; identity=helo; client-ip=212.71.103.5; helo=smtpclient.apple; envelope-from= Received: from smtpclient.apple ([212.71.103.5]) by connect.ultra-secure.de (Haraka/2.6.2-toaster) with ESMTPSA id DEB4A5BE-8DEA-4027-B4ED-4E7A31DC9EDC.1 envelope-from (authenticated bits=0) (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 verify=NO); Sat, 01 Nov 2025 21:07:13 +0100 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51.11.4\)) Subject: Re: Enquiry about TDE with PgSQL From: Rainer Duffner In-Reply-To: Date: Sat, 1 Nov 2025 21:07:01 +0100 Cc: pgsql-general@postgresql.org Content-Transfer-Encoding: quoted-printable Message-Id: <86C8ECFE-942C-4364-A5BF-3404D50CD661@ultra-secure.de> References: <3DC589BC-A5F6-49BC-BFFC-F1FCB0FF7E95@thebuild.com> <3985797c-639f-4825-9fa9-98a48b37f380@aklaver.com> To: Ken Marshall X-Mailer: Apple Mail (2.3776.700.51.11.4) X-Haraka-GeoIP: EU, CH, 451km X-Haraka-ASN: 24951 X-Haraka-GeoIP-Received: 212.71.103.5:CH X-Haraka-ASN: 24951 212.71.96.0/20 X-Haraka-ASN-CYMRU: asn=24951 net=212.71.96.0/20 country=CH assignor=ripencc date=1999-11-18 X-Haraka-p0f: os="Mac OS X " link_type="DSL" distance=12 total_conn=1 shared_ip=N X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on spamassassin X-Spam-Level: X-Spam-Status: No, score=-2.2 required=5.0 tests=ALL_TRUSTED,BAYES_00, SPF_HELO_NONE,SPF_SOFTFAIL,URIBL_BLOCKED,URIBL_DBL_BLOCKED_OPENDNS, URIBL_ZEN_BLOCKED_OPENDNS autolearn=no autolearn_force=no version=3.4.1 X-Haraka-Karma: score: 6, good: 4609, bad: 0, connections: 4891, history: 4609, asn_score: 90, asn_connections: 93, asn_good: 90, asn_bad: 0, pass:all_good, asn, asn_all_good, relaying List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > Am 01.11.2025 um 19:54 schrieb Ken Marshall : >=20 > +1 from me for having TDE in-core or available as an extension >=20 > The security auditors that I have worked with have been increasingly > unwilling to actual evaluate the merits of an implementation or = perhaps > no longer have the knowledge or skills needed. This is a needed > checkbox to allow PostgreSQL to be deployed in those environments. >=20 >=20 Do you actually have HSMs with your TDE (assuming you use it elsewhere? We run, for a customer, an Oracle DataGuard configuration with TDE with = a HSM. We have a support-contract with a 3rd party company that helps us with = the more obscure problems on Oracle that we don=E2=80=99t encounter = every day and they told us of all their clients (banks, insurance = companies), we are the only ones with TDE. They loath working with it = ;-) There=E2=80=99s apparently another non-disclosed customer that uses it. It may be that a lot of people now use =E2=80=9Ecloud HSMs=E2=80=9C - = but I=E2=80=99m a bit of a purist for these kinds of things in that I = believe that unless you own the hardware (HSMs are usually tamper-proof = enough so you can deploy them in 3rd-party datacenters that aren=E2=80=99t= your own), you don=E2=80=99t really control the keys. In our case, the databases are backed up with rman to an NFS share that = is provided by a virtualized linux server - the severs itself are = hardware. If you don=E2=80=99t have TDE, your backups aren=E2=80=99t encrypted and = they end up on the veeam server like everything else, where an admin = could copy them somewhere else and potentially take them elsewhere. With the HSM, we don=E2=80=99t actually know the secret to decrypt the = data (there may be a way to get it, I don=E2=80=99t know). We know the = secret to unseal the wallet (that sits on the HSM, I believe) so that = the database actually mounts and starts. It=E2=80=99s pretty bullet-proof (I believe there=E2=80=99s techniques = to prevent sniffing out the secret from RAM and HSMs usually implement = those in their client software). In fact, it=E2=80=99s so bullet-proof that should you lose the keys on = the HSM, your data is gone if you have no other backups or backups of = the HSM.=20 If the amount of data is small enough, you can GPG encrypt a = =E2=80=9Enormal=E2=80=9C full dump - but that become unfeasible as = database size grows.