Re: Enquiry about TDE with PgSQL

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Ron Johnson <[email protected]>
To: pgsql-general <[email protected]>
Subject: Re: Enquiry about TDE with PgSQL
Date: Fri, 17 Oct 2025 00:49:06 -0400
Message-ID: <CANzqJaA41CzNjkiQex+A0u9z11i6R3WQZJ+fkXfJO7VJwOMWzg@mail.gmail.com> (raw)
In-Reply-To: <CAKAnmmKDCOdUT5JtJZz5papMO0zW1cnG4934d6aQVCQ_KdbUeg@mail.gmail.com>
References: <CACgMzfwSDRF+kQr59h0-xGUobCeFZxwVzE_tUxF18DkVb+vuDQ@mail.gmail.com>
	<CAKAnmmKDCOdUT5JtJZz5papMO0zW1cnG4934d6aQVCQ_KdbUeg@mail.gmail.com>

On Thu, Oct 16, 2025 at 6:05 PM Greg Sabino Mullane <[email protected]>
wrote:

> I would like to enquire that based on the anecdotal experience of group
>> members, which TDE solution works best for PgSQL 17 databases.
>
>
> Generally speaking, there is no "best". People use whatever vendor they
> happen to already use. Your best solution is to avoid TDE altogether. If
> you really need encryption at rest, have the OS do it. That works well
> (transparently, even), is very battle-tested, and has minimal performance
> impact.
>

But filesystem encryption still means that validly logged-in users see the
unencrypted data.  That's great for a laptop that might get stolen, or for
drives that are discarded without being wiped, but are no protection
against hackers who want to exfiltrate your data.

(Neither protect against ransomware, but that's a different problem.)

> TDE, on the other hand, is a very complex and difficult thing to add
> into Postgres.
>

TDE was added to SQL Server, with (to us, at least) minimally-noticed
overhead.  Oracle has it, too, but I don't know the details.

The bottom line is that requirements for TDE are escalating, whether you
like it or not, as Yet Another Layer Of Defense against hackers
exfiltrating data, and then threatening to leak it to the public.

-- 
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!

view thread (36+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected]
  Subject: Re: Enquiry about TDE with PgSQL
  In-Reply-To: <CANzqJaA41CzNjkiQex+A0u9z11i6R3WQZJ+fkXfJO7VJwOMWzg@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox