public inbox for [email protected]
help / color / mirror / Atom feedFrom: Kai Wagner <[email protected]>
To: Bruce Momjian <[email protected]>
Cc: Laurenz Albe <[email protected]>
Cc: Ron Johnson <[email protected]>
Cc: pgsql-general <[email protected]>
Subject: Re: Enquiry about TDE with PgSQL
Date: Fri, 31 Oct 2025 15:01:48 +0100
Message-ID: <CAG0qCNhL=SEB4vc4v48PxN1F-t8htC463TpX7KDNWQ-s3s8dtA@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <CACgMzfwSDRF+kQr59h0-xGUobCeFZxwVzE_tUxF18DkVb+vuDQ@mail.gmail.com>
<CAKAnmmKDCOdUT5JtJZz5papMO0zW1cnG4934d6aQVCQ_KdbUeg@mail.gmail.com>
<CANzqJaA41CzNjkiQex+A0u9z11i6R3WQZJ+fkXfJO7VJwOMWzg@mail.gmail.com>
<[email protected]>
<[email protected]>
As I personally believe, there is no real way around TDE in the future,
either by extensibility of the core (start with the storage manager and
move your way on from there), to make an extension possible, or by directly
adding it to the core, there are more reasons coming or are already on
their way.
With the PCI DSS v4.1 standard, one key rule to comply with is, that "If
PAN is stored, it must be rendered unreadable". Of course there are other
ways, like tokenization, hashing etc. but this regulation is pushing
towards at rest encryption in the long run, and not only disk encryption.
We can dislike it, but we are already seeing the need coming from large
industries and companies that they cannot work around this anymore, as the
auditors doing the checkboxes do not really care about "good alternatives",
as they do not even technically understand what this is about. They do
compare postgres simply against other already in use databases at these
orgs (MySQL or MongoDB), and as such, we are currently the only one that
cannot be used in such a use case, at least not without the willingness of
the auditor to make it happen.
On Thu, Oct 30, 2025 at 9:00 PM Bruce Momjian <[email protected]> wrote:
> On Fri, Oct 17, 2025 at 09:01:52AM +0200, Laurenz Albe wrote:
> > On Fri, 2025-10-17 at 00:49 -0400, Ron Johnson wrote:
> > > On Thu, Oct 16, 2025 at 6:05 PM Greg Sabino Mullane <
> [email protected]> wrote:
> > > >
> > > > TDE, on the other hand, is a very complex and difficult thing to add
> into Postgres.
> > >
> > > TDE was added to SQL Server, with (to us, at least) minimally-noticed
> overhead.
> > > Oracle has it, too, but I don't know the details.
> > >
> > > The bottom line is that requirements for TDE are escalating, whether
> you like it or
> > > not, as Yet Another Layer Of Defense against hackers exfiltrating
> data, and then
> > > threatening to leak it to the public.
> >
> > Bruce Momjian has interesting things to say about that in
> >
> https://url.avanan.click/v2/r01/___https://compiledconversations.com/6/___.YXAzOnBlcmNvbmE6YTpnOjMxN...
> (unfortunately I don't remember where
> > exactly in this 84 minute piece).
>
> Here is my most recent blog about TDE:
>
>
> https://url.avanan.click/v2/r01/___https://momjian.us/main/blogs/pgblog/2025.html%23February_22_2025...
>
> --
> Bruce Momjian <[email protected]>
> https://url.avanan.click/v2/r01/___https://momjian.us___.YXAzOnBlcmNvbmE6YTpnOjMxNTMyOGQ0MzIyODAzOTU...
> EDB
> https://url.avanan.click/v2/r01/___https://enterprisedb.com___.YXAzOnBlcmNvbmE6YTpnOjMxNTMyOGQ0MzIyO...
>
> Do not let urgent matters crowd out time for investment in the future.
>
>
>
view thread (36+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: Enquiry about TDE with PgSQL
In-Reply-To: <CAG0qCNhL=SEB4vc4v48PxN1F-t8htC463TpX7KDNWQ-s3s8dtA@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox