Date: Tue, 20 Jan 2026 11:03:25 -0800
From: dmurvihill@gmail.com
To: Erik Wienhold <ewie@ewie.name>, ManiR <mani.retnaswamy@gmail.com>
Cc: pgsql-general@postgresql.org
Message-ID: <9510af9c-a300-4702-bddd-83f81297b834@Spark>
In-Reply-To: <9e3ecb34-7132-4ce7-9c62-b2ad9c02bda4@ewie.name>
References: <CAA5LiFbFsaE1qT+iDtRf0769HG7nFuGzPDa9AJwTzEauNK8J=g@mail.gmail.com>
 <9e3ecb34-7132-4ce7-9c62-b2ad9c02bda4@ewie.name>
Subject: Re: Request for cryptographic mechanisms used in PostgreSQL
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="696fd1b6_41a7c4c9_d54e"
Archived-At: <https://www.postgresql.org/message-id/9510af9c-a300-4702-bddd-83f81297b834%40Spark>
Precedence: bulk

--696fd1b6_41a7c4c9_d54e
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

I hope you will consider contributing the finished document back to Postg=
res, if the core team is interested. This sort of documentation would be =
very helpful for other organizations, even if they must update it for new=
er versions.
On Jan 20, 2026 at 02:51 -0800, Erik Wienhold <ewie=40ewie.name>, wrote:
> On 2026-01-20 10:17 +0100, ManiR wrote:
> > As part of a security documentation update, we are preparing a *Crypt=
ographic
> > Bill of Materials (CBOM)* to document the cryptographic mechanisms us=
ed by
> > the services deployed in our environment.
> >
> > We would like your guidance on the *cryptographic mechanisms used by
> > PostgreSQL*, including:
> >
> > -
> >
> > The *types of cryptographic mechanisms* involved (for example, TLS/SS=
L
> > for client-server communication, authentication mechanisms, password
> > hashing, replication security, encryption at rest where applicable)
> > -
> >
> > The *cryptographic algorithms and protocols* used
> > -
> >
> > The *source or storage location* of cryptographic material (for examp=
le,
> > configuration files, certificates, private keys, system catalogs, or
> > external key management systems)
> > -
> >
> > The *purpose* of each mechanism (for example, data-in-transit
> > encryption, authentication, access control, replication security)
> >
> > Our goal is to accurately document PostgreSQL=E2=80=99s cryptographic=
 controls
> > for *compliance
> > and audit purposes*. This request is for documentation clarity only a=
nd is *not
> > related to vulnerability disclosure*.
> >
> > Any clarification or references to official PostgreSQL documentation =
would
> > be greatly appreciated.
>
> Some links to get you going:
>
> https://www.postgresql.org/docs/current/encryption-options.html
> https://www.postgresql.org/docs/current/ssl-tcp.html
> https://www.postgresql.org/docs/current/gssapi-enc.html
> https://www.postgresql.org/docs/current/ssh-tunnels.html
> https://www.postgresql.org/docs/current/client-authentication.html
> https://www.postgresql.org/docs/current/libpq-ssl.html
> https://www.postgresql.org/docs/current/sasl-authentication.html
> https://www.postgresql.org/docs/current/pgcrypto.html
>
> --
> Erik Wienhold
>
>

--696fd1b6_41a7c4c9_d54e
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<html xmlns=3D=22http://www.w3.org/1999/xhtml=22>
<head>
<title></title>
</head>
<body>
<div name=3D=22messageBodySection=22>
<div>I hope you will consider contributing the finished document back to =
Postgres, if the core team is interested. This sort of documentation woul=
d be very helpful for other organizations, even if they must update it fo=
r newer versions.</div>
</div>
<div name=3D=22messageReplySection=22>On Jan 20, 2026 at 02:51 -0800, Eri=
k Wienhold &lt;ewie=40ewie.name&gt;, wrote:<br />
<blockquote type=3D=22cite=22>On 2026-01-20 10:17 +0100, ManiR wrote:<br =
/>
<blockquote type=3D=22cite=22 style=3D=22border-left-color: grey; border-=
left-width: thin; border-left-style: solid; margin: 5px 5px;padding-left:=
 10px;=22>As part of a security documentation update, we are preparing a =
*Cryptographic<br />
Bill of Materials (CBOM)* to document the cryptographic mechanisms used b=
y<br />
the services deployed in our environment.<br />
<br />
We would like your guidance on the *cryptographic mechanisms used by<br /=
>
PostgreSQL*, including:<br />
<br />
-<br />
<br />
The *types of cryptographic mechanisms* involved (for example, TLS/SSL<br=
 />
for client-server communication, authentication mechanisms, password<br /=
>
hashing, replication security, encryption at rest where applicable)<br />=

-<br />
<br />
The *cryptographic algorithms and protocols* used<br />
-<br />
<br />
The *source or storage location* of cryptographic material (for example,<=
br />
configuration files, certificates, private keys, system catalogs, or<br /=
>
external key management systems)<br />
-<br />
<br />
The *purpose* of each mechanism (for example, data-in-transit<br />
encryption, authentication, access control, replication security)<br />
<br />
Our goal is to accurately document PostgreSQL=E2=80=99s cryptographic con=
trols<br />
for *compliance<br />
and audit purposes*. This request is for documentation clarity only and i=
s *not<br />
related to vulnerability disclosure*.<br />
<br />
Any clarification or references to official PostgreSQL documentation woul=
d<br />
be greatly appreciated.<br /></blockquote>
<br />
Some links to get you going:<br />
<br />
https://www.postgresql.org/docs/current/encryption-options.html<br />
https://www.postgresql.org/docs/current/ssl-tcp.html<br />
https://www.postgresql.org/docs/current/gssapi-enc.html<br />
https://www.postgresql.org/docs/current/ssh-tunnels.html<br />
https://www.postgresql.org/docs/current/client-authentication.html<br />
https://www.postgresql.org/docs/current/libpq-ssl.html<br />
https://www.postgresql.org/docs/current/sasl-authentication.html<br />
https://www.postgresql.org/docs/current/pgcrypto.html<br />
<br />
--<br />
Erik Wienhold<br />
<br />
<br /></blockquote>
</div>
</body>
</html>

--696fd1b6_41a7c4c9_d54e--