Re: Enquiry about TDE with PgSQL - Greg Sabino Mullane

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Greg Sabino Mullane <[email protected]>
To: Bruce Momjian <[email protected]>
Cc: Kai Wagner <[email protected]>
Cc: Laurenz Albe <[email protected]>
Cc: Ron Johnson <[email protected]>
Cc: pgsql-general <[email protected]>
Subject: Re: Enquiry about TDE with PgSQL
Date: Fri, 31 Oct 2025 11:25:04 -0400
Message-ID: <CAKAnmmKYP0DZpBhFXFBAbpkEkGt8g+MKOsSR=M+nKbvLZ8v89w@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <CACgMzfwSDRF+kQr59h0-xGUobCeFZxwVzE_tUxF18DkVb+vuDQ@mail.gmail.com>
	<CAKAnmmKDCOdUT5JtJZz5papMO0zW1cnG4934d6aQVCQ_KdbUeg@mail.gmail.com>
	<CANzqJaA41CzNjkiQex+A0u9z11i6R3WQZJ+fkXfJO7VJwOMWzg@mail.gmail.com>
	<[email protected]>
	<[email protected]>
	<CAG0qCNhL=SEB4vc4v48PxN1F-t8htC463TpX7KDNWQ-s3s8dtA@mail.gmail.com>
	<[email protected]>

On Fri, Oct 31, 2025 at 10:54 AM Bruce Momjian <[email protected]> wrote:

>         Disk-level and partition-level encryption typically encrypts
>         the entire disk or partition using the same key, with all data
>         automatically decrypted when the system runs or when an authorized
> -->     user requests it. For this reason, disk-level encryption is not
> -->     appropriate to protect stored PAN on computers, laptops, servers,
>         storage arrays, or any other system that provides transparent
>         decryption upon user authentication.
>

Hmm, I read this a few times but still not sure what the technical
objection is. Yes, the entire disk is encrypted with the same key, but why
is that insufficient to protect things? Anyone care to guess what they are
thinking here?

The biggest possible downside of this standoff is that enterprises that
> need to meet PCI compliance specifications are forced to use specialized
> versions of Postgres or Postgres extensions that support TDE.
>

Not always a downside for the companies selling those specialized versions
though.

Cheers,
Greg

--
Crunchy Data - https://www.crunchydata.com
Enterprise Postgres Software Products & Tech Support

view thread (36+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Enquiry about TDE with PgSQL
  In-Reply-To: <CAKAnmmKYP0DZpBhFXFBAbpkEkGt8g+MKOsSR=M+nKbvLZ8v89w@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox