public inbox for [email protected]
help / color / mirror / Atom feedFrom: Kai Wagner <[email protected]>
To: Chris Travers <[email protected]>
Cc: Christophe Pettus <[email protected]>
Cc: Clay Jackson (cjackson) <[email protected]>
Cc: Bruce Momjian <[email protected]>
Cc: pgsql-general <[email protected]>
Cc: Laurenz Albe <[email protected]>
Cc: Ron Johnson <[email protected]>
Subject: Re: Enquiry about TDE with PgSQL
Date: Sat, 1 Nov 2025 08:34:57 +0100
Message-ID: <CAG0qCNjd2m9Ej1ZEwuCCkgsqJz0vnso3ZFwjKCxzwUfnfu=SNw@mail.gmail.com> (raw)
In-Reply-To: <CAKt_ZfuwPgG_nJHp6S=8k_+NdA6Op7hE0z7+s4-HuBqr1cnwsg@mail.gmail.com>
References: <CACgMzfwSDRF+kQr59h0-xGUobCeFZxwVzE_tUxF18DkVb+vuDQ@mail.gmail.com>
<CAKAnmmKDCOdUT5JtJZz5papMO0zW1cnG4934d6aQVCQ_KdbUeg@mail.gmail.com>
<CANzqJaA41CzNjkiQex+A0u9z11i6R3WQZJ+fkXfJO7VJwOMWzg@mail.gmail.com>
<[email protected]>
<[email protected]>
<CAG0qCNhL=SEB4vc4v48PxN1F-t8htC463TpX7KDNWQ-s3s8dtA@mail.gmail.com>
<[email protected]>
<[email protected]>
<[email protected]>
<CO1PR19MB4984B665A5F9F38A5E0FB5969BF9A@CO1PR19MB4984.namprd19.prod.outlook.com>
<[email protected]>
<CAKt_ZfuwPgG_nJHp6S=8k_+NdA6Op7hE0z7+s4-HuBqr1cnwsg@mail.gmail.com>
On Sat, Nov 1, 2025 at 5:19 AM Chris Travers <[email protected]>
wrote:
> I maintain that the way forward is to get TDE in core. Perhaps someone
> could pick up the previous patches and try to push them again
>
I wholeheartedly agree, as in this thread we are trying to do the same
thing again, that has already happened all they years before. We lose
ourselves in technical reasons, wondering why this makes no sense and how
it could be achieved differently, but we forget that we live in a vacuum
and bubble here. The auditor, most of the time (as I've seen many times),
has no knowledge of these technical aspects. It's a box to check, with a
simple 'yes' or 'no'. They don't even wanna hear any "but this also
satisfies it, as this isn't clearly stated and worded in the standard".
This doesn't get us anywhere anymore; they will not put their checkbox
there if there is no simple answer to it.
@Bruce Momjian <[email protected]> I totally understand your frustration
from previous times and also your point of view, that's absolutely valid,
no doubt about that. The time has changed over the course of the last 5+
years, and maybe it is time to reconsider. Just because it didn't succeed
last time doesn't mean we have to end up in the same spot this time. We
discussed it at length, and I am committed to supporting and making happen
what's necessary to get TDE fully functional with postgres directly. The
way of the implementation is a different question. Who from the former
times, or maybe even now, being interested in the topic, would be open for
a TDE group, to technically discuss options, possibilities etc. that we can
POC on and share for further feedback?!
>
> Best Wishes,
> Chris Travers
>
>
> On Sat, Nov 1, 2025, 8:36 AM Christophe Pettus <[email protected]> wrote:
>
>> On Oct 31, 2025, at 17:24, Clay Jackson (cjackson) <
>> [email protected]> wrote:
>> >
>> > I can't disagree - but the question them becomes, as Markus and other
>> have pointed out; would that allow a customer/user to check the
>> "Encryption" box for PCI or any other "compliance review"
>>
>> The answer is: it depends (doesn't it always?). Doing secure
>> column-level encryption meets the PCI standard, and a competent PCI auditor
>> will know that. However, TDE has this cache as being "the way one does
>> it," and if the organization is that way, it's hard to move them off of it.
>>
>> As a sign of how the PCI world views TDE, at least one of the major
>> credit card associations does not use it, and they have literally
>> everyone's credit card number, with expiration date and CVV, sitting on
>> their disks.
>>
>>
view thread (36+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Enquiry about TDE with PgSQL
In-Reply-To: <CAG0qCNjd2m9Ej1ZEwuCCkgsqJz0vnso3ZFwjKCxzwUfnfu=SNw@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox