Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1vEt81-002dUo-3v
	for pgsql-general@arkaria.postgresql.org; Fri, 31 Oct 2025 17:41:32 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1vEt80-00GzWO-3y
	for pgsql-general@arkaria.postgresql.org; Fri, 31 Oct 2025 17:41:31 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <xof@thebuild.com>)
	id 1vEt7z-00GzVe-Po
	for pgsql-general@lists.postgresql.org; Fri, 31 Oct 2025 17:41:30 +0000
Received: from smtp96.ord1d.emailsrvr.com ([184.106.54.96])
	by makus.postgresql.org with smtp (Exim 4.96)
	(envelope-from <xof@thebuild.com>)
	id 1vEt7x-004lwi-0F
	for pgsql-general@postgresql.org;
	Fri, 31 Oct 2025 17:41:29 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=g001.emailsrvr.com;
	s=feedback; t=1761932488;
	bh=vQqCw9l59JdQGGSFQ+Mqiy9tbj3/ukAos93zElUttGQ=;
	h=Subject:From:Date:To:From;
	b=WHa2/7knZnfM0tw0spySfRzTBBWHNWBqbh9/7r5h3O6eGBEXaHrZmNjxNzFDi3KxM
	 oj19ZHc2QNaInpMZ3uEhuRN47pZ6z7H7TFJvt2VYIG0dafEhJCfbsciBRNf6u28rWT
	 IFMQqDKmrtO1ufYLYYPfeIXVFvSuqHDgewsG57uU=
X-Auth-ID: xof@thebuild.com
Received: by smtp13.relay.ord1d.emailsrvr.com (Authenticated sender: xof-AT-thebuild.com) with ESMTPSA id 74247C01DF;
	Fri, 31 Oct 2025 13:41:27 -0400 (EDT)
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51.11.4\))
Subject: Re: Enquiry about TDE with PgSQL
From: Christophe Pettus <xof@thebuild.com>
In-Reply-To: <CO1PR19MB4984F31E10CA30299FED53669BF8A@CO1PR19MB4984.namprd19.prod.outlook.com>
Date: Fri, 31 Oct 2025 10:40:56 -0700
Cc: Bruce Momjian <bruce@momjian.us>,
 Adrian Klaver <adrian.klaver@aklaver.com>,
 Kai Wagner <kai.wagner@percona.com>,
 Laurenz Albe <laurenz.albe@cybertec.at>,
 Ron Johnson <ronljohnsonjr@gmail.com>,
 pgsql-general <pgsql-general@postgresql.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9358BA09-E2C6-4116-9E9E-3DA5D31A11DA@thebuild.com>
References: <CACgMzfwSDRF+kQr59h0-xGUobCeFZxwVzE_tUxF18DkVb+vuDQ@mail.gmail.com>
 <CAKAnmmKDCOdUT5JtJZz5papMO0zW1cnG4934d6aQVCQ_KdbUeg@mail.gmail.com>
 <CANzqJaA41CzNjkiQex+A0u9z11i6R3WQZJ+fkXfJO7VJwOMWzg@mail.gmail.com>
 <a1dae4a583d560a90c67872b766ead02ddb13e51.camel@cybertec.at>
 <aQPDvqUzZVKkaxsS@momjian.us>
 <CAG0qCNhL=SEB4vc4v48PxN1F-t8htC463TpX7KDNWQ-s3s8dtA@mail.gmail.com>
 <aQTNmM-3VeTRZdx0@momjian.us>
 <df60c2f9-21df-4c04-a33c-5ae8ec74d431@aklaver.com>
 <E94D3E44-8BF5-45F8-9497-3918A8488706@thebuild.com>
 <aQTsjVoYDWU2GaLJ@momjian.us>
 <CO1PR19MB4984F31E10CA30299FED53669BF8A@CO1PR19MB4984.namprd19.prod.outlook.com>
To: "Clay Jackson (cjackson)" <Clay.Jackson@quest.com>
X-Mailer: Apple Mail (2.3776.700.51.11.4)
X-Classification-ID: 8505fc98-23ef-4236-9d43-e073da0580b7-1-1
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/9358BA09-E2C6-4116-9E9E-3DA5D31A11DA%40thebuild.com>
Precedence: bulk



> On Oct 31, 2025, at 10:32, Clay Jackson (cjackson) =
<Clay.Jackson@quest.com> wrote:
>=20
> Pardo me for jumping in here - but would filesystem level encryption =
possibly meet your requirements?

If we're talking about PCI DSS, the answer is: Yes, but.  =
Filesystem-level encryption is acceptable IF the encryption keys (or =
other passwords used to unlock them) are separate from the user access =
controls to the host that has the encrypted volume attached.  You have =
to go through a second step of decrypting the volume (or making it =
available for decrypted reads) separate from just mounting it.=