MIME-Version: 1.0
References: <CACgMzfwSDRF+kQr59h0-xGUobCeFZxwVzE_tUxF18DkVb+vuDQ@mail.gmail.com>
 <CAKAnmmKDCOdUT5JtJZz5papMO0zW1cnG4934d6aQVCQ_KdbUeg@mail.gmail.com> <CANzqJaA41CzNjkiQex+A0u9z11i6R3WQZJ+fkXfJO7VJwOMWzg@mail.gmail.com>
In-Reply-To: <CANzqJaA41CzNjkiQex+A0u9z11i6R3WQZJ+fkXfJO7VJwOMWzg@mail.gmail.com>
From: Greg Sabino Mullane <htamfids@gmail.com>
Date: Fri, 17 Oct 2025 09:12:42 -0400
Message-ID: <CAKAnmmKjyG3jOhFRP_wq_Hm0Zi6t8esx8Xsxqkjn9BPkAXmeMw@mail.gmail.com>
Subject: Re: Enquiry about TDE with PgSQL
To: Ron Johnson <ronljohnsonjr@gmail.com>
Cc: pgsql-general <pgsql-general@postgresql.org>
Content-Type: multipart/alternative; boundary="00000000000039c86b06415a7f4b"
Archived-At: <https://www.postgresql.org/message-id/CAKAnmmKjyG3jOhFRP_wq_Hm0Zi6t8esx8Xsxqkjn9BPkAXmeMw%40mail.gmail.com>
Precedence: bulk

--00000000000039c86b06415a7f4b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Fri, Oct 17, 2025 at 12:49=E2=80=AFAM Ron Johnson <ronljohnsonjr@gmail.c=
om>
wrote:

But filesystem encryption still means that validly logged-in users see the
> unencrypted data.  That's great for a laptop that might get stolen, or fo=
r
> drives that are discarded without being wiped, but are no protection
> against hackers who want to exfiltrate your data.


I stand by my recommendation. If someone is logged in and has access to
your data directory (e.g. is root or postgres user), then they also have
the TDE key or some easy way to bypass it.

TDE was added to SQL Server, with (to us, at least) minimally-noticed
> overhead.  Oracle has it, too, but I don't know the details.
> The bottom line is that requirements for TDE are escalating, whether you
> like it or not


I'm not arguing against putting TDE in Postgres - indeed, I am all for
that. But it's a very tricky thing to do technically, with minimal benefits
other than "checking the box" of some security requirements document.

The bottom line is that requirements for TDE are escalating, whether you
> like it or not, as Yet Another Layer Of Defense against hackers
> exfiltrating data, and then threatening to leak it to the public.
>

I'd love to see a real-world example where TDE would have saved someone but
disk encryption could not.

--=20
Cheers,
Greg

--
Crunchy Data - https://www.crunchydata.com
Enterprise Postgres Software Products & Tech Support

--00000000000039c86b06415a7f4b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Fri, Oct 17, 2025 at 12:49=E2=80=AFAM =
Ron Johnson &lt;<a href=3D"mailto:ronljohnsonjr@gmail.com">ronljohnsonjr@gm=
ail.com</a>&gt; wrote:</div><div dir=3D"ltr"><br></div><blockquote class=3D=
"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(2=
04,204,204);padding-left:1ex">But filesystem encryption still means that va=
lidly logged-in users see the unencrypted data.=C2=A0 That&#39;s great for =
a laptop that might get stolen, or for drives that are discarded without be=
ing wiped, but are no protection against hackers who want to exfiltrate you=
r data.</blockquote><div><br></div><div>I stand by my recommendation. If so=
meone is logged in and has access to your data directory (e.g. is root or p=
ostgres user), then they also have the TDE key or some easy way to bypass i=
t.=C2=A0</div><div dir=3D"ltr"><br></div><div class=3D"gmail_quote gmail_qu=
ote_container"><div><div class=3D"gmail_quote"><blockquote class=3D"gmail_q=
uote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,2=
04);padding-left:1ex">TDE was added to SQL Server, with (to us, at least) m=
inimally-noticed overhead.=C2=A0 Oracle has it, too, but I don&#39;t know t=
he details.<br>The bottom line is that requirements for TDE are escalating,=
 whether you like it or not</blockquote><div></div></div></div><div><br></d=
iv><div>I&#39;m not arguing against putting TDE in Postgres - indeed, I am =
all for that. But it&#39;s a very tricky thing to do technically, with mini=
mal benefits other than &quot;checking the box&quot; of some security requi=
rements document.</div><div><br></div><blockquote class=3D"gmail_quote" sty=
le=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);paddi=
ng-left:1ex"><div dir=3D"ltr"><div>The bottom line is that requirements for=
 TDE are escalating, whether you like it or not, as Yet Another Layer Of De=
fense against hackers exfiltrating data, and then threatening to leak it to=
 the public.</div></div></blockquote></div><div><br></div><div>I&#39;d love=
 to see a real-world example where TDE would have saved someone but disk en=
cryption could not.</div><div><br></div><span class=3D"gmail_signature_pref=
ix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signature"><div dir=3D"lt=
r"><div>Cheers,</div><div>Greg</div><div><br></div><div>--</div><div>Crunch=
y Data - <a href=3D"https://www.crunchydata.com" target=3D"_blank">https://=
www.crunchydata.com</a></div><div>Enterprise Postgres Software Products &am=
p; Tech Support</div><div><br></div></div></div></div>

--00000000000039c86b06415a7f4b--