Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1vF34w-006dp3-Jb
	for pgsql-general@arkaria.postgresql.org; Sat, 01 Nov 2025 04:19:02 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1vF34u-003B9D-6D
	for pgsql-general@arkaria.postgresql.org; Sat, 01 Nov 2025 04:18:59 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <chris.travers@gmail.com>)
	id 1vF34t-003B95-R9
	for pgsql-general@lists.postgresql.org; Sat, 01 Nov 2025 04:18:58 +0000
Received: from mail-pl1-x634.google.com ([2607:f8b0:4864:20::634])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <chris.travers@gmail.com>)
	id 1vF34q-004qLS-2c
	for pgsql-general@postgresql.org;
	Sat, 01 Nov 2025 04:18:57 +0000
Received: by mail-pl1-x634.google.com with SMTP id d9443c01a7336-28e7cd6dbc0so36287905ad.0
        for <pgsql-general@postgresql.org>; Fri, 31 Oct 2025 21:18:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1761970735; x=1762575535; darn=postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=uaBhAp0N5ZjUknNW2WN/F9oubh7qI9ZpmwqJLwrR39s=;
        b=gZcnpTE0aK72OiK1ptIM6dQQsRKp3Xk3UaPYPsMMaSXPZKtBBtjy/E9fjPJjHekOlh
         RrPbqxpQeriCD/EJrO041qhtj4UkV7+KHl/9jF1lcq5bT+Vw/YVmyO2zp+CSI6fXXGJ0
         c9/NllVqCael4mtsSHcH3v4S+zcBxa97Rlxw12fw3jAmnbCeSpRl5xJosKeIZqotrqQ4
         wnLUqTfK9TTKn0VUqCTlPcRdnubRTwyYGNcZA5bbX174gBooFvd3Q8pT7GZege0KF1p1
         d+e4ln15CSLJ6Dl6+VxLc+4AENRw0btEbNkL4BQP8p/1pmZPcosKx5OJMo9F80tO8lJG
         sj7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761970735; x=1762575535;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=uaBhAp0N5ZjUknNW2WN/F9oubh7qI9ZpmwqJLwrR39s=;
        b=CeOXbDg5aVQ2sXLMLEPr55M07RomCC8Ct3ncVx/6geg6OdbxOyYb+oxKy1LrZhYFXD
         E11mgLUi3PMSxzJwFjr7D8IjflpH9Kb/2qa9lMtUwe43LSOY0nuridAaq3RtzdmBkrVQ
         6fTt3GRu+Xe6y3zcLW5VHBBpJfe3F+ZXQvR5e2riLwBdaAiFeZAO/9iQ1ams3OnTydiM
         NaSqJgX0J7s+bG/ng6zur8x5soViVzg6figtZC0Mm3oDW1nlcw6MYqYzqYfLrxnqU0gD
         xag9fhe21bsuawhoQksCb6XHvy/fNN0yrmb+cyeGgMlUu5FsyT1Ejay9A7zvQ2YfkNNc
         MklQ==
X-Forwarded-Encrypted: i=1; AJvYcCXZeUto48mS/6xr77v/5ikUNvHNooTmXAXP3TFjq7m172/k/8q8PMU54C+ADz28Daz6sm0viRez8jwbf1SZ@postgresql.org
X-Gm-Message-State: AOJu0YyfofLJajkKnfouji3wv4Drx6hasxv3fcpkx7hF4mNnyyHw0VfC
	83gq8JNkZNjKaIPq26RrspGJWV+xqRZzRZDZKg8pD6tDCMs0/tIIGaotLsMqWr7dgUWkJEmyEEv
	hKUnnsdN4NhZ35dRU20aze77KPOpo0q8=
X-Gm-Gg: ASbGncuUiwKKMIx3dgnfYU7eIceWpddLwohXSG9q0oRtRSzcDAm25OgjWlxvYb3T9yj
	Tyuo/H/rDShsggySH0bQnTJq8gsPo8uubON5FJx0zal+Du8bVsWQQVRhHjAxQY57+ZhncwwUUs4
	23Xv/nOE2xkQp+CPIygTzgzeXlpV9vET7HVLSuuD9obso3SfNHqkHucEcs+J3fadphQv5HiqvEF
	nnkfJe/7x0H5uVNWjsQBRNDSYuRxy7WrSK5uhEFq5t7V113yLaUATMX213tviquFRMShY7NZrCM
	0FQBIpE7apMeeBP6K0k=
X-Google-Smtp-Source: AGHT+IENVHY4TMgNi4/X+IA4KJDYMCWqeF+9tVGBaCtyWQTl0bfm7OmAaFLw5JxiKmGEAP934Gb8F92DObMrvIkLsxs=
X-Received: by 2002:a17:902:d4c1:b0:294:ec58:1d49 with SMTP id
 d9443c01a7336-2951a3e0e8amr80771775ad.25.1761970735092; Fri, 31 Oct 2025
 21:18:55 -0700 (PDT)
MIME-Version: 1.0
References: <CACgMzfwSDRF+kQr59h0-xGUobCeFZxwVzE_tUxF18DkVb+vuDQ@mail.gmail.com>
 <CAKAnmmKDCOdUT5JtJZz5papMO0zW1cnG4934d6aQVCQ_KdbUeg@mail.gmail.com>
 <CANzqJaA41CzNjkiQex+A0u9z11i6R3WQZJ+fkXfJO7VJwOMWzg@mail.gmail.com>
 <a1dae4a583d560a90c67872b766ead02ddb13e51.camel@cybertec.at>
 <aQPDvqUzZVKkaxsS@momjian.us> <CAG0qCNhL=SEB4vc4v48PxN1F-t8htC463TpX7KDNWQ-s3s8dtA@mail.gmail.com>
 <aQTNmM-3VeTRZdx0@momjian.us> <FC8C7F2D-CD38-42C7-80D3-516239B70A2D@thebuild.com>
 <aQVScCjItvCtgVPn@momjian.us> <CO1PR19MB4984B665A5F9F38A5E0FB5969BF9A@CO1PR19MB4984.namprd19.prod.outlook.com>
 <3DC589BC-A5F6-49BC-BFFC-F1FCB0FF7E95@thebuild.com>
In-Reply-To: <3DC589BC-A5F6-49BC-BFFC-F1FCB0FF7E95@thebuild.com>
From: Chris Travers <chris.travers@gmail.com>
Date: Sat, 1 Nov 2025 11:18:43 +0700
X-Gm-Features: AWmQ_bkduBuYghXl6dTF-N_lWCnRRLLQ8rT-pBbTHiiAfIqPKa95gtMCcKxD-C0
Message-ID: <CAKt_ZfuwPgG_nJHp6S=8k_+NdA6Op7hE0z7+s4-HuBqr1cnwsg@mail.gmail.com>
Subject: Re: Enquiry about TDE with PgSQL
To: Christophe Pettus <xof@thebuild.com>
Cc: "Clay Jackson (cjackson)" <Clay.Jackson@quest.com>, Bruce Momjian <bruce@momjian.us>, 
	pgsql-general <pgsql-general@postgresql.org>, Kai Wagner <kai.wagner@percona.com>, 
	Laurenz Albe <laurenz.albe@cybertec.at>, Ron Johnson <ronljohnsonjr@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000c51772064280c79a"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CAKt_ZfuwPgG_nJHp6S%3D8k_%2BNdA6Op7hE0z7%2Bs4-HuBqr1cnwsg%40mail.gmail.com>
Precedence: bulk

--000000000000c51772064280c79a
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I maintain that the way forward is to get TDE in core.  Perhaps someone
could pick up the previous patches and try to push them again


Best Wishes,
Chris Travers


On Sat, Nov 1, 2025, 8:36=E2=80=AFAM Christophe Pettus <xof@thebuild.com> w=
rote:

> On Oct 31, 2025, at 17:24, Clay Jackson (cjackson) <Clay.Jackson@quest.co=
m>
> wrote:
> >
> > I can't disagree - but the question them becomes, as Markus and other
> have pointed out; would that allow a customer/user to check the
> "Encryption" box for PCI or any other "compliance review"
>
> The answer is: it depends (doesn't it always?).  Doing secure column-leve=
l
> encryption meets the PCI standard, and a competent PCI auditor will know
> that.  However, TDE has this cache as being "the way one does it," and if
> the organization is that way, it's hard to move them off of it.
>
> As a sign of how the PCI world views TDE, at least one of the major credi=
t
> card associations does not use it, and they have literally everyone's
> credit card number, with expiration date and CVV, sitting on their disks.
>
>

--000000000000c51772064280c79a
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto"><div>I maintain that the way forward is to get TDE in cor=
e.=C2=A0 Perhaps someone could pick up the previous patches and try to push=
 them again</div><div dir=3D"auto"><br></div><div><br></div><div data-smart=
mail=3D"gmail_signature"><div dir=3D"ltr">Best Wishes,<div>Chris Travers</d=
iv><div><br></div></div></div></div><br><div class=3D"gmail_quote gmail_quo=
te_container"><div dir=3D"ltr" class=3D"gmail_attr">On Sat, Nov 1, 2025, 8:=
36=E2=80=AFAM Christophe Pettus &lt;<a href=3D"mailto:xof@thebuild.com">xof=
@thebuild.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" sty=
le=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Oct=
 31, 2025, at 17:24, Clay Jackson (cjackson) &lt;<a href=3D"mailto:Clay.Jac=
kson@quest.com" target=3D"_blank" rel=3D"noreferrer">Clay.Jackson@quest.com=
</a>&gt; wrote:<br>
&gt; <br>
&gt; I can&#39;t disagree - but the question them becomes, as Markus and ot=
her have pointed out; would that allow a customer/user to check the &quot;E=
ncryption&quot; box for PCI or any other &quot;compliance review&quot;<br>
<br>
The answer is: it depends (doesn&#39;t it always?).=C2=A0 Doing secure colu=
mn-level encryption meets the PCI standard, and a competent PCI auditor wil=
l know that.=C2=A0 However, TDE has this cache as being &quot;the way one d=
oes it,&quot; and if the organization is that way, it&#39;s hard to move th=
em off of it.<br>
<br>
As a sign of how the PCI world views TDE, at least one of the major credit =
card associations does not use it, and they have literally everyone&#39;s c=
redit card number, with expiration date and CVV, sitting on their disks.<br=
>
<br>
</blockquote></div>

--000000000000c51772064280c79a--