MIME-Version: 1.0
References: <CACgMzfwSDRF+kQr59h0-xGUobCeFZxwVzE_tUxF18DkVb+vuDQ@mail.gmail.com>
 <CAKAnmmKDCOdUT5JtJZz5papMO0zW1cnG4934d6aQVCQ_KdbUeg@mail.gmail.com>
 <CANzqJaA41CzNjkiQex+A0u9z11i6R3WQZJ+fkXfJO7VJwOMWzg@mail.gmail.com>
 <a1dae4a583d560a90c67872b766ead02ddb13e51.camel@cybertec.at>
 <aQPDvqUzZVKkaxsS@momjian.us> <CAG0qCNhL=SEB4vc4v48PxN1F-t8htC463TpX7KDNWQ-s3s8dtA@mail.gmail.com>
 <aQTNmM-3VeTRZdx0@momjian.us> <FC8C7F2D-CD38-42C7-80D3-516239B70A2D@thebuild.com>
 <aQVScCjItvCtgVPn@momjian.us> <CO1PR19MB4984B665A5F9F38A5E0FB5969BF9A@CO1PR19MB4984.namprd19.prod.outlook.com>
 <3DC589BC-A5F6-49BC-BFFC-F1FCB0FF7E95@thebuild.com> <CAKt_ZfuwPgG_nJHp6S=8k_+NdA6Op7hE0z7+s4-HuBqr1cnwsg@mail.gmail.com>
In-Reply-To: <CAKt_ZfuwPgG_nJHp6S=8k_+NdA6Op7hE0z7+s4-HuBqr1cnwsg@mail.gmail.com>
From: Kai Wagner <kai.wagner@percona.com>
Date: Sat, 1 Nov 2025 08:34:57 +0100
Message-ID: <CAG0qCNjd2m9Ej1ZEwuCCkgsqJz0vnso3ZFwjKCxzwUfnfu=SNw@mail.gmail.com>
Subject: Re: Enquiry about TDE with PgSQL
To: Chris Travers <chris.travers@gmail.com>
Cc: Christophe Pettus <xof@thebuild.com>, "Clay Jackson (cjackson)" <Clay.Jackson@quest.com>, 
	Bruce Momjian <bruce@momjian.us>, pgsql-general <pgsql-general@postgresql.org>, 
	Laurenz Albe <laurenz.albe@cybertec.at>, Ron Johnson <ronljohnsonjr@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000008022be064283854a"
Archived-At: <https://www.postgresql.org/message-id/CAG0qCNjd2m9Ej1ZEwuCCkgsqJz0vnso3ZFwjKCxzwUfnfu%3DSNw%40mail.gmail.com>
Precedence: bulk

--0000000000008022be064283854a
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Sat, Nov 1, 2025 at 5:19=E2=80=AFAM Chris Travers <chris.travers@gmail.c=
om>
wrote:

> I maintain that the way forward is to get TDE in core.  Perhaps someone
> could pick up the previous patches and try to push them again
>
I wholeheartedly agree, as in this thread we are trying to do the same
thing again, that has already happened all they years before. We lose
ourselves in technical reasons, wondering why this makes no sense and how
it could be achieved differently, but we forget that we live in a vacuum
and bubble here.  The auditor, most of the time (as I've seen many times),
has no knowledge of these technical aspects. It's a box to check, with a
simple 'yes' or 'no'. They don't even wanna hear any "but this also
satisfies it, as this isn't clearly stated and worded in the standard".
This doesn't get us anywhere anymore; they will not put their checkbox
there if there is no simple answer to it.

@Bruce Momjian <bruce@momjian.us> I totally understand your frustration
from previous times and also your point of view, that's absolutely valid,
no doubt about that. The time has changed over the course of the last 5+
years, and maybe it is time to reconsider. Just because it didn't succeed
last time doesn't mean we have to end up in the same spot this time. We
discussed it at length, and I am committed to supporting and making happen
what's necessary to get TDE fully functional with postgres directly. The
way of the implementation is a different question. Who from the former
times, or maybe even now, being interested in the topic, would be open for
a TDE group, to technically discuss options, possibilities etc. that we can
POC on and share for further feedback?!


>
> Best Wishes,
> Chris Travers
>
>
> On Sat, Nov 1, 2025, 8:36=E2=80=AFAM Christophe Pettus <xof@thebuild.com>=
 wrote:
>
>> On Oct 31, 2025, at 17:24, Clay Jackson (cjackson) <
>> Clay.Jackson@quest.com> wrote:
>> >
>> > I can't disagree - but the question them becomes, as Markus and other
>> have pointed out; would that allow a customer/user to check the
>> "Encryption" box for PCI or any other "compliance review"
>>
>> The answer is: it depends (doesn't it always?).  Doing secure
>> column-level encryption meets the PCI standard, and a competent PCI audi=
tor
>> will know that.  However, TDE has this cache as being "the way one does
>> it," and if the organization is that way, it's hard to move them off of =
it.
>>
>> As a sign of how the PCI world views TDE, at least one of the major
>> credit card associations does not use it, and they have literally
>> everyone's credit card number, with expiration date and CVV, sitting on
>> their disks.
>>
>>

--0000000000008022be064283854a
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote g=
mail_quote_container"><div dir=3D"ltr" class=3D"gmail_attr">On Sat, Nov 1, =
2025 at 5:19=E2=80=AFAM Chris Travers &lt;<a href=3D"mailto:chris.travers@g=
mail.com">chris.travers@gmail.com</a>&gt; wrote:<br></div><blockquote class=
=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rg=
b(204,204,204);padding-left:1ex"><div dir=3D"auto"><div>I maintain that the=
 way forward is to get TDE in core.=C2=A0 Perhaps someone could pick up the=
 previous patches and try to push them again</div></div></blockquote><div>I=
 wholeheartedly=C2=A0agree, as in this thread we are trying to do the same =
thing again, that has already happened=C2=A0all they years before. We lose =
ourselves in technical reasons, wondering why this makes no sense and how i=
t could be achieved differently, but we forget that we live in a vacuum and=
 bubble here.=C2=A0 The auditor, most of the time (as I&#39;ve seen many ti=
mes), has no knowledge of these technical aspects. It&#39;s a box to check,=
 with a simple &#39;yes&#39; or &#39;no&#39;. They don&#39;t even wanna hea=
r any &quot;but this also satisfies it, as this isn&#39;t clearly stated an=
d worded in the standard&quot;. This doesn&#39;t get us anywhere anymore; t=
hey will not put their checkbox there if there is no simple answer to it.</=
div><div><br></div><div><a class=3D"gmail_plusreply" id=3D"plusReplyChip-0"=
 href=3D"mailto:bruce@momjian.us" tabindex=3D"-1">@Bruce Momjian</a>=C2=A0I=
 totally understand your frustration from previous times and also your poin=
t of view, that&#39;s absolutely valid, no doubt about that. The time has c=
hanged over the course of the last 5+ years, and maybe it is time to recons=
ider. Just because it didn&#39;t succeed last time doesn&#39;t mean we have=
 to end up in the same spot this time. We discussed it at length, and I am =
committed to supporting and making happen what&#39;s necessary to get TDE f=
ully functional with postgres directly. The way of the implementation is a =
different question. Who from the former times, or maybe even now, being int=
erested in the topic, would be open for a TDE group, to technically discuss=
 options, possibilities etc. that we can POC on and share for further feedb=
ack?!<br></div><div><br></div><blockquote class=3D"gmail_quote" style=3D"ma=
rgin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:=
1ex"><div dir=3D"auto"><div dir=3D"auto"><br></div><div><br></div><div><div=
 dir=3D"ltr">Best Wishes,<div>Chris Travers</div><div><br></div></div></div=
></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr"=
>On Sat, Nov 1, 2025, 8:36=E2=80=AFAM Christophe Pettus &lt;<a href=3D"mail=
to:xof@thebuild.com" target=3D"_blank">xof@thebuild.com</a>&gt; wrote:<br><=
/div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bo=
rder-left:1px solid rgb(204,204,204);padding-left:1ex">On Oct 31, 2025, at =
17:24, Clay Jackson (cjackson) &lt;<a href=3D"mailto:Clay.Jackson@quest.com=
" rel=3D"noreferrer" target=3D"_blank">Clay.Jackson@quest.com</a>&gt; wrote=
:<br>
&gt; <br>
&gt; I can&#39;t disagree - but the question them becomes, as Markus and ot=
her have pointed out; would that allow a customer/user to check the &quot;E=
ncryption&quot; box for PCI or any other &quot;compliance review&quot;<br>
<br>
The answer is: it depends (doesn&#39;t it always?).=C2=A0 Doing secure colu=
mn-level encryption meets the PCI standard, and a competent PCI auditor wil=
l know that.=C2=A0 However, TDE has this cache as being &quot;the way one d=
oes it,&quot; and if the organization is that way, it&#39;s hard to move th=
em off of it.<br>
<br>
As a sign of how the PCI world views TDE, at least one of the major credit =
card associations does not use it, and they have literally everyone&#39;s c=
redit card number, with expiration date and CVV, sitting on their disks.<br=
>
<br>
</blockquote></div>
</blockquote></div></div>

--0000000000008022be064283854a--