Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1vEr9b-001pnt-GT
	for pgsql-general@arkaria.postgresql.org; Fri, 31 Oct 2025 15:35:02 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1vEr9a-00FodB-Es
	for pgsql-general@arkaria.postgresql.org; Fri, 31 Oct 2025 15:35:01 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <ronljohnsonjr@gmail.com>)
	id 1vEr9a-00Fod3-4F
	for pgsql-general@lists.postgresql.org; Fri, 31 Oct 2025 15:35:01 +0000
Received: from mail-oo1-xc33.google.com ([2607:f8b0:4864:20::c33])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <ronljohnsonjr@gmail.com>)
	id 1vEr9X-005Gey-0F
	for pgsql-general@postgresql.org;
	Fri, 31 Oct 2025 15:35:00 +0000
Received: by mail-oo1-xc33.google.com with SMTP id 006d021491bc7-651cda151f0so1269586eaf.3
        for <pgsql-general@postgresql.org>; Fri, 31 Oct 2025 08:34:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1761924897; x=1762529697; darn=postgresql.org;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :from:to:cc:subject:date:message-id:reply-to;
        bh=DVqiwxkwy2Zrxlesh5slEt9ZqmLK8ylAj9InRN/FQG8=;
        b=Qk6ed5wajceeujVZMuSzcjSXn2U5X/ERpN0NlnkBMsmX3/LYI0HX3qYzXQZgge/D6n
         TClQI9qdBa+6pYjmZEWz6ztEQQa7i8HyP4uTaS1YDnkQrbOLTW8YOgi5aAeMGUExEB76
         w00B2MaO4OZA5zPTRWWHSumoZ9Ys74uvwU+1O9XjuKQ+oqkAGR+7FX/H2zuprsghX5KE
         9CNLGSvwcQCHcOxSUQ0pDkJAey452meRf93pR656rzt69iMK1j2dup6GWCCOlBd9AIm0
         ZJB0TZyTAT2RCXGRPQnF0t8PDugAmr1Q0Fno5noeOv1X9rY5GA9p7Y4rq7b1AmvlJYAx
         u+sw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761924897; x=1762529697;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=DVqiwxkwy2Zrxlesh5slEt9ZqmLK8ylAj9InRN/FQG8=;
        b=NLsvbgCrOsdZsJPGBs+f2nuHgOx84Qkw5MhAqUYsNgNuwSij0RD8u9VZeFTcrxoefk
         MR2dg/tmlrBt9Ujis4oGLK9pCt9MMKgu0S1GAmzvcXpYWAxSmaEvClV8wmGtKEubGA3s
         apzTZIb9lDdaLl5VMi8JVsNZIf7CIFpZI2yDL6UkZHilMdPXrrkZsaq7UHlA0pR6SMe+
         23nOFNDVv6XhdfQqyBFKbBOEFpIV/iTFxzVSGWEzm0dlsZdmznMo4AiO1Ug7BYi4SAPW
         hdpgOSzoUDwvubCdU/MkQxICMnP+Z/GxhHQqmBWjBqwbS+wLyg5wGsOI4z4dDB8iXmBf
         A7QA==
X-Gm-Message-State: AOJu0YyT1yIoncOUiCme/NwcHtzkCr5soAMaZ8qap6aC2SGxXjvDgk+u
	FDBshyUys6Ys8CDWEMZDtUd1K63M4QJ6pAYxrvYbCC8jnrTrjyXiSqP0pc0ylbhrIQg7V3j0Ahg
	/Tm61BurAi0tVfCXVi75b0/jTE2qikT9GVQ==
X-Gm-Gg: ASbGncvRy1sUj3WrLc3pLpHnK3T3gaPKT/uTdLTk2dfFFjMFCrYezhVk0F0LYe+6fru
	KxE7mCFzV1kFY06vpMGK7xvjmxBQUpPtHwCk1Bky/YfvKVEXaU8oWufwLpCODGCkI+d4MGZDDO/
	VSHtV3r4XDf4cUhbVlpdRalQejKaDFKoSD+NCUoZbET1JPS3P0jXKLzQRrPr31k2hq/xNhU0H4C
	l6APo9Om1jyKyp7HfzL0dQ1BfTRyz+2651LMfuh6U7yUbzY4qHbYZGF2DoImQ==
X-Google-Smtp-Source: AGHT+IFbOi6O5bdwfBKd7HMsFZSqKilR0BZH8KIMvYAdY/w69p345FUWdClvA3M1SY0G9N+e2jst7W7pQ/UUoXfMWVU=
X-Received: by 2002:a4a:ee0e:0:b0:656:84ec:64a with SMTP id
 006d021491bc7-6568a729f68mr1808970eaf.8.1761924897119; Fri, 31 Oct 2025
 08:34:57 -0700 (PDT)
MIME-Version: 1.0
References: <CACgMzfwSDRF+kQr59h0-xGUobCeFZxwVzE_tUxF18DkVb+vuDQ@mail.gmail.com>
 <CAKAnmmKDCOdUT5JtJZz5papMO0zW1cnG4934d6aQVCQ_KdbUeg@mail.gmail.com>
 <CANzqJaA41CzNjkiQex+A0u9z11i6R3WQZJ+fkXfJO7VJwOMWzg@mail.gmail.com>
 <a1dae4a583d560a90c67872b766ead02ddb13e51.camel@cybertec.at>
 <aQPDvqUzZVKkaxsS@momjian.us> <CAG0qCNhL=SEB4vc4v48PxN1F-t8htC463TpX7KDNWQ-s3s8dtA@mail.gmail.com>
 <aQTNmM-3VeTRZdx0@momjian.us> <CAKAnmmKYP0DZpBhFXFBAbpkEkGt8g+MKOsSR=M+nKbvLZ8v89w@mail.gmail.com>
In-Reply-To: <CAKAnmmKYP0DZpBhFXFBAbpkEkGt8g+MKOsSR=M+nKbvLZ8v89w@mail.gmail.com>
From: Ron Johnson <ronljohnsonjr@gmail.com>
Date: Fri, 31 Oct 2025 11:34:45 -0400
X-Gm-Features: AWmQ_bkJqZ2Ec_q1AK75DS0ux_Op34rJsvvzXrtdXFrAwuIjA6m0vAwFqJGNn1s
Message-ID: <CANzqJaC378Dt92YCPuuj_eWTY=wE0RQJoMM84gtsX_4mtm156g@mail.gmail.com>
Subject: Re: Enquiry about TDE with PgSQL
To: pgsql-general <pgsql-general@postgresql.org>
Content-Type: multipart/alternative; boundary="0000000000009d22bc0642761bdd"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CANzqJaC378Dt92YCPuuj_eWTY%3DwE0RQJoMM84gtsX_4mtm156g%40mail.gmail.com>
Precedence: bulk

--0000000000009d22bc0642761bdd
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Fri, Oct 31, 2025 at 11:25=E2=80=AFAM Greg Sabino Mullane <htamfids@gmai=
l.com>
wrote:

> On Fri, Oct 31, 2025 at 10:54=E2=80=AFAM Bruce Momjian <bruce@momjian.us>=
 wrote:
>
>>         Disk-level and partition-level encryption typically encrypts
>>         the entire disk or partition using the same key, with all data
>>         automatically decrypted when the system runs or when an authoriz=
ed
>> -->     user requests it. For this reason, disk-level encryption is not
>> -->     appropriate to protect stored PAN on computers, laptops, servers=
,
>>         storage arrays, or any other system that provides transparent
>>         decryption upon user authentication.
>>
>
> Hmm, I read this a few times but still not sure what the technical
> objection is. Yes, the entire disk is encrypted with the same key, but wh=
y
> is that insufficient to protect things? Anyone care to guess what they ar=
e
> thinking here?
>

Networking.

Who breaks into a DC and steals a rack of disks or SSDs?  Very, very few
evil-doers.
Who hacks into networks and exfiltrates data over the wire?  Many hackers.

--=20
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!

--0000000000009d22bc0642761bdd
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Fri, Oct 31, 2025 at 11:25=E2=80=AFAM =
Greg Sabino Mullane &lt;<a href=3D"mailto:htamfids@gmail.com">htamfids@gmai=
l.com</a>&gt; wrote:</div><div class=3D"gmail_quote gmail_quote_container">=
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div dir=
=3D"ltr">On Fri, Oct 31, 2025 at 10:54=E2=80=AFAM Bruce Momjian &lt;<a href=
=3D"mailto:bruce@momjian.us" target=3D"_blank">bruce@momjian.us</a>&gt; wro=
te:</div><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding=
-left:1ex">=C2=A0 =C2=A0 =C2=A0 =C2=A0 Disk-level and partition-level encry=
ption typically encrypts<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 the entire disk or partition using the same key=
, with all data<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 automatically decrypted when the system runs or=
 when an authorized<br>
--&gt;=C2=A0 =C2=A0 =C2=A0user requests it. For this reason, disk-level enc=
ryption is not<br>
--&gt;=C2=A0 =C2=A0 =C2=A0appropriate to protect stored PAN on computers, l=
aptops, servers,<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 storage arrays, or any other system that provid=
es transparent<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 decryption upon user authentication.<br></block=
quote><div><br></div><div>Hmm, I read this a few times but still not sure w=
hat the technical objection is. Yes, the entire disk is encrypted with the =
same key, but why is that insufficient to protect things? Anyone care to gu=
ess what they are thinking here?</div></div></div></blockquote><div><br></d=
iv><div>Networking.</div><div><br></div><div>Who breaks into a DC and steal=
s a rack of disks or SSDs?=C2=A0 Very, very few evil-doers.</div><div>Who h=
acks into networks and exfiltrates=C2=A0data over the wire?=C2=A0 Many hack=
ers.</div><div><br></div></div><span class=3D"gmail_signature_prefix">-- </=
span><br><div dir=3D"ltr" class=3D"gmail_signature"><div dir=3D"ltr">Death =
to &lt;Redacted&gt;, and butter sauce.<div>Don&#39;t boil me, I&#39;m still=
 alive.<br><div><div>&lt;Redacted&gt; lobster!</div></div></div></div></div=
></div>

--0000000000009d22bc0642761bdd--