Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1v9W6F-001nUj-5l
	for pgsql-general@arkaria.postgresql.org; Thu, 16 Oct 2025 22:05:30 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1v9W6E-00FrEf-32
	for pgsql-general@arkaria.postgresql.org; Thu, 16 Oct 2025 22:05:29 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <htamfids@gmail.com>)
	id 1v9W6D-00FrEX-Pf
	for pgsql-general@lists.postgresql.org; Thu, 16 Oct 2025 22:05:28 +0000
Received: from mail-il1-x12f.google.com ([2607:f8b0:4864:20::12f])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <htamfids@gmail.com>)
	id 1v9W6A-002bPz-1J
	for pgsql-general@postgresql.org;
	Thu, 16 Oct 2025 22:05:28 +0000
Received: by mail-il1-x12f.google.com with SMTP id e9e14a558f8ab-430a4bf6b6dso5696995ab.0
        for <pgsql-general@postgresql.org>; Thu, 16 Oct 2025 15:05:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1760652324; x=1761257124; darn=postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=9XWX5WVYvWPlxv7fRhMc1HdK8YhtEeVC0HAoSzJ0BjE=;
        b=iX40txy36sHfai+rA0DytMnEBKQcbxnsipfHOoBqfaf/SrdurSQ+iK40g9VWUWn2Oo
         TLPh+uHURP49gNN8OgxnDV5OuZSqKBdRLOl+OAASH+zkPeVjAIzgXH2St7BGdul07h6K
         Mpa36L947FuRXPmMxH9SEjFV1gzrE41UBh0frR/5JguWLB03iUmB1NxD7kym3O297bH0
         qSQk4qX1MujeLDu29NC9oiKof/2ORHdy3jRTFAsrtDSRwR779Rd3ZZExLNYZdtQflpJr
         qQt3dXPbWzSsW1/NBo2KFernMgspFG9H4XjWmzsixKGBpbjbyuKwo1H8cDSOLlGSPd3X
         Tpzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1760652324; x=1761257124;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=9XWX5WVYvWPlxv7fRhMc1HdK8YhtEeVC0HAoSzJ0BjE=;
        b=jUe3kVmHJXnwpEvSSS1xp3RwnLzp3vm3oEXDwvotZb1dh3FFJpqsfkkCxPr6xobOSE
         cYU5hlHyxveXpu4/F6CJkZR0+86iaia5xPqYRYYHL/CyVFhsnAwzMS6XkYk8apMlrWhE
         ZOwYy3fKBCL3IARZGE7OWLZSCjfZZAor6MKJO8vTzxn4vtcrASFYOXsEOhiFOkOA7bt+
         idkbW7YfMgJeBn0Y7AspM+gwUU2FvZP3s/lbcz8T/tO2g+vuDn3Fx6/thN8vecM1bIaj
         DZY3FtUZ8urxQm5SlQZUUwFOex+tEKHCiMETWbSrpoAz8iVTA23BL/szkW61fki/DGT3
         4MYA==
X-Gm-Message-State: AOJu0YxLlSVXIcCes4LyQJUbj2yLwe/3Y+Ftmen+aTXaRaHYYXUkRYfP
	6OApvu/meaFDzFspUU+3muCBiI8FVVGbkr6Atc6gRQk3EDTsPxx8zpG6o83mFY4GKpZYSvdeMgX
	PT3/GEMLs+F7ctWsaLrxgtKg5zp1CndA=
X-Gm-Gg: ASbGncvND9XcKTA4zbkpHL86z5wKvc3zz23EFfLi5pO0Q1l44pfG8on33yYajgb8pkM
	QnqgWUG8kgYp0HRKjzscgCvbb3daspaU63va3CMyF8H1qobBv2TNsL6uJSPpWb0IYDhThajjFNM
	lxuIKvEGm8Nd6n+yshEVWF1I33FhpJc5Aqjl1UcLmUgXzv0tvrPiRAlYQ9KOyLsBrlg5q4psctJ
	rmAuOYG96eQlg17PNAiH+7UAdaS6ZHnG/wimdyXua5M3M5a47Jk+lejPZ/7audf+P3DiJ2JDema
	fxh7Cxkzmf9nOnSOiqLs6wy6XRoyTw==
X-Google-Smtp-Source: AGHT+IERn2JE9OuuGuCoroaDdsujSwVaYkMIKrnozjS2dxW5Mv/2363Fjl9O6ucy7c6jTllzDwtlD22R0bopQpf1IyU=
X-Received: by 2002:a05:6e02:3c04:b0:430:b467:1af8 with SMTP id
 e9e14a558f8ab-430c526fd94mr23634175ab.2.1760652324005; Thu, 16 Oct 2025
 15:05:24 -0700 (PDT)
MIME-Version: 1.0
References: <CACgMzfwSDRF+kQr59h0-xGUobCeFZxwVzE_tUxF18DkVb+vuDQ@mail.gmail.com>
In-Reply-To: <CACgMzfwSDRF+kQr59h0-xGUobCeFZxwVzE_tUxF18DkVb+vuDQ@mail.gmail.com>
From: Greg Sabino Mullane <htamfids@gmail.com>
Date: Thu, 16 Oct 2025 18:04:49 -0400
X-Gm-Features: AS18NWC-bTpZ4ETKX7WAITc3wrR5FJmu1XfMyDF-HYfYT3NDyDJGnMG_gJAlESg
Message-ID: <CAKAnmmKDCOdUT5JtJZz5papMO0zW1cnG4934d6aQVCQ_KdbUeg@mail.gmail.com>
Subject: Re: Enquiry about TDE with PgSQL
To: Ashish Mukherjee <ashish.mukherjee@gmail.com>
Cc: pgsql-general@postgresql.org
Content-Type: multipart/alternative; boundary="00000000000058706406414dd03d"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CAKAnmmKDCOdUT5JtJZz5papMO0zW1cnG4934d6aQVCQ_KdbUeg%40mail.gmail.com>
Precedence: bulk

--00000000000058706406414dd03d
Content-Type: text/plain; charset="UTF-8"

>
> I would like to enquire that based on the anecdotal experience of group
> members, which TDE solution works best for PgSQL 17 databases.


Generally speaking, there is no "best". People use whatever vendor they
happen to already use. Your best solution is to avoid TDE altogether. If
you really need encryption at rest, have the OS do it. That works well
(transparently, even), is very battle-tested, and has minimal performance
impact. TDE, on the other hand, is a very complex and difficult thing to
add into Postgres. Currently it means you are using a forked version of
Postgres and are incurring overhead every time you read or write to disk.

 The scenario I have is of a large number of tables (15-20K) and some
> tables with 100M tuples each. The total database size is 4TB.


The size and number of tables does not really matter. How often you write
WAL, and how often things move in and out of shared buffers is what matters.

Cheers,
Greg

--00000000000058706406414dd03d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I would =
like to enquire that based on the anecdotal experience of group members, wh=
ich TDE solution works best for PgSQL 17 databases.</blockquote><div><br></=
div>Generally speaking, there is no &quot;best&quot;. People use whatever v=
endor they happen to already use. Your best solution is to avoid TDE altoge=
ther. If you really need encryption at rest, have the OS do it. That works =
well (transparently, even), is very battle-tested, and has minimal performa=
nce impact. TDE, on the other hand, is a very complex and difficult thing t=
o add into=C2=A0Postgres. Currently it means=C2=A0you are using a forked ve=
rsion of Postgres and are incurring overhead every time you read or write t=
o disk.<div><br></div><div><blockquote class=3D"gmail_quote" style=3D"margi=
n:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex=
">=C2=A0The=C2=A0scenario I=C2=A0have is of a large number of tables (15-20=
K) and some tables with 100M tuples each. The total database size is 4TB.</=
blockquote><div><br></div></div><div>The size and number of tables does not=
 really matter. How often you write WAL, and how often things move in and o=
ut of shared buffers is what matters.</div><div><br></div><div>Cheers,</div=
><div>Greg</div><div><br></div></div>

--00000000000058706406414dd03d--