Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1v9cP8-003fGm-7W for pgsql-general@arkaria.postgresql.org; Fri, 17 Oct 2025 04:49:25 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1v9cP6-00HMuP-9m for pgsql-general@arkaria.postgresql.org; Fri, 17 Oct 2025 04:49:23 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1v9cP5-00HMuH-V4 for pgsql-general@lists.postgresql.org; Fri, 17 Oct 2025 04:49:22 +0000 Received: from mail-oa1-x36.google.com ([2001:4860:4864:20::36]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1v9cP2-002eQE-2V for pgsql-general@postgresql.org; Fri, 17 Oct 2025 04:49:22 +0000 Received: by mail-oa1-x36.google.com with SMTP id 586e51a60fabf-3c99a6a2afeso113565fac.1 for ; Thu, 16 Oct 2025 21:49:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760676558; x=1761281358; darn=postgresql.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=+/0+SaWD/Qn1XjmJ3ieyo1Deo4xDygpjVc8GqOmhOLQ=; b=SkcD6pYIoAUVANTcPnmOd1gp4dgBqApn4s20R8UkiGG39TtI6OSy/Gk5QJUCtHpW8v nM96n3cKt3GdP6dGpyQ+BFDBMzMx89s3ZLbMONxOF0w8vZtI/0kkVnAKuSza1h0G8xiA DZXhyhdcsZ1Z6IktKLEgJOWM1MqFerbW7CUt2SDdsA18vhP2skJN0gISqINIiGE3xzhH UKIeUZXxBkhIf1VeD11ni/PdSoVQIAhRbiUrPGQ9wJyujLbiI7Bd/iIdWYv2c/tCfSFM 7EnjAc9S1+yGd8xfBbFNVJpojryIs9J7qD0CLegwfwWVt9cV9g+mh9jiJL/3ccGgnA8b S0+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760676558; x=1761281358; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=+/0+SaWD/Qn1XjmJ3ieyo1Deo4xDygpjVc8GqOmhOLQ=; b=NH03ysF0ZfWl9/e5b/hG2Ut2bu50lSQiihxnNmEbom7Qzy9DLCat5lA142/PoEfrxf 47s+YvnTHUmkMhJdNoiHOs/Kynah7wxKO/oN1SYwSeQzO2PUJ9/QP2UC201rrdrjoJNm 3hwWvIR2qI4sPaPe7E8O/y0TpBfGW24Oi8jYLG5hObp9L7E4UzC5tUc3sCwPPTMPOJdm U6N/HtBshkKLJdN6vN8lIDLRIUuAPq3mroyVJgBicJ89x9vHOE+jyG0LELQPonjLcCiz 7oSRdL3DDA0cWWDxwGDMs3TP37+LL2K7OgLh/pzEBnMZtSk5wMpOCBKOhQ5R+qvN+NGs gIEg== X-Gm-Message-State: AOJu0YyTzyZRZslzI5Tluxm1rdyctW/4Y/5YU5jJB3SrXot4DqWtOeaQ CKcVAgVVkr5J/Z68Ia9yQI53nVn6ahD3q9lVmMroD0wtDZSHxJdZCANuzCMjWPGxTcRR5K/sh+F isK34oxvBgVeUQ+XJyQ1I+bMvCgzDhyi5Ow== X-Gm-Gg: ASbGncsI0i/p1C6ewqYzPS8tX2k3psle2A8qXLAXa8w05e31wvyYvobsf6LmxpEBYid jqPxx3To1hEYIaV5ASpqKyRYLfNiUgR2RgSEaQrGgdHMb2733oYDWUamYWoB0JMLWMeZ6KXELfm tPTk9f/2IZjCSfXqSpyycKvKmR+YFGiwtEy4ttZ1A30siZP+IMJgGvCh5OGRuWn1AkKKK6o3/dR xFMyyeL4zfLitVS2GDQ/BNYCTA26RXty8uHw7ibABlSDPCrn4SxqQPLEbFxwt+9WEHl1vj4m0ui Xg/Dojs= X-Google-Smtp-Source: AGHT+IHAMMcvOjZhA3ZeeQYAHbgAD1IG7UAeVgLbhcb1dtxDHe9e1NEBHxeiNE9X90MO88Nu/3Af32uyCwd+EHY702E= X-Received: by 2002:a05:6870:eca9:b0:3c9:4926:5c8 with SMTP id 586e51a60fabf-3c98cf84102mr903054fac.12.1760676557400; Thu, 16 Oct 2025 21:49:17 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ron Johnson Date: Fri, 17 Oct 2025 00:49:06 -0400 X-Gm-Features: AS18NWDSGWfdq6SIXeNydoqOwjA6-PwanWr3NgJyQzD8l3kLQY1fEHF-VBg2AFI Message-ID: Subject: Re: Enquiry about TDE with PgSQL To: pgsql-general Content-Type: multipart/alternative; boundary="000000000000c4b950064153742b" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000c4b950064153742b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Oct 16, 2025 at 6:05=E2=80=AFPM Greg Sabino Mullane wrote: > I would like to enquire that based on the anecdotal experience of group >> members, which TDE solution works best for PgSQL 17 databases. > > > Generally speaking, there is no "best". People use whatever vendor they > happen to already use. Your best solution is to avoid TDE altogether. If > you really need encryption at rest, have the OS do it. That works well > (transparently, even), is very battle-tested, and has minimal performance > impact. > But filesystem encryption still means that validly logged-in users see the unencrypted data. That's great for a laptop that might get stolen, or for drives that are discarded without being wiped, but are no protection against hackers who want to exfiltrate your data. (Neither protect against ransomware, but that's a different problem.) > TDE, on the other hand, is a very complex and difficult thing to add > into Postgres. > TDE was added to SQL Server, with (to us, at least) minimally-noticed overhead. Oracle has it, too, but I don't know the details. The bottom line is that requirements for TDE are escalating, whether you like it or not, as Yet Another Layer Of Defense against hackers exfiltrating data, and then threatening to leak it to the public. --=20 Death to , and butter sauce. Don't boil me, I'm still alive. lobster! --000000000000c4b950064153742b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Thu, Oct 16, 2025 at 6:05=E2=80=AFPM G= reg Sabino Mullane <htamfids@gmail= .com> wrote:
<= blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l= eft:1px solid rgb(204,204,204);padding-left:1ex">
I would like to enquire that based= on the anecdotal experience of group members, which TDE solution works bes= t for PgSQL 17 databases.

Generally speaking, th= ere is no "best". People use whatever vendor they happen to alrea= dy use. Your best solution is to avoid TDE altogether. If you really need e= ncryption at rest, have the OS do it. That works well (transparently, even)= , is very battle-tested, and has minimal performance impact.

But filesystem encryption still means that validly = logged-in users see the unencrypted data.=C2=A0 That's great for a lapt= op that might get stolen, or for drives that are discarded without being wi= ped, but are no protection against hackers who want to exfiltrate your data= .

(Neither protect against ransomware, but that= 9;s a different problem.)
=C2=A0
TDE, on the other hand, is a very = complex and difficult thing to add into=C2=A0Postgres.

TDE was added to SQL Server, with (to us, at least) minim= ally-noticed overhead.=C2=A0 Oracle has it, too, but I don't know the d= etails.

The bottom line is that r= equirements for TDE are escalating, whether you like it or not, as Yet Anot= her Layer Of Defense against hackers exfiltrating data, and then threatenin= g to leak it to the public.

--
Death to <Redacted>, and butter sauce.
Don't boil = me, I'm still alive.
<Redacted> lobster!
=
--000000000000c4b950064153742b--