Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1v9jsD-0079rm-G6
	for pgsql-general@arkaria.postgresql.org; Fri, 17 Oct 2025 12:47:56 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1v9jsC-002TjI-CV
	for pgsql-general@arkaria.postgresql.org; Fri, 17 Oct 2025 12:47:55 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <ronljohnsonjr@gmail.com>)
	id 1v9jsC-002Tj1-1d
	for pgsql-general@lists.postgresql.org; Fri, 17 Oct 2025 12:47:55 +0000
Received: from mail-oi1-x231.google.com ([2607:f8b0:4864:20::231])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <ronljohnsonjr@gmail.com>)
	id 1v9js9-002HnP-18
	for pgsql-general@postgresql.org;
	Fri, 17 Oct 2025 12:47:54 +0000
Received: by mail-oi1-x231.google.com with SMTP id 5614622812f47-443a9ae4639so299261b6e.1
        for <pgsql-general@postgresql.org>; Fri, 17 Oct 2025 05:47:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1760705272; x=1761310072; darn=postgresql.org;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :from:to:cc:subject:date:message-id:reply-to;
        bh=6Y6Dl65pJRco908FojQuuv72Ac6WkXxH/ZwZH15RDpw=;
        b=GFC68c+vmupSHkYxQ5p5xFskGS1g4L0mJrjggtRLyU9O63YJ0m6sv1stpUxfHu5q+y
         PmVyhCPBuqw5nGxe5c5oNs4Wm7Qz8IepoHxTXuvlhi2ZdhNUhrbya+b8qa13OJ8Q756e
         VZJq3xF7OgtRq1OBkwxvWMfTL+lLYcxeWIdPpMZFO+XabKW8yR7cTuZY44+XSnt4+MM2
         +VtPSFihl3DT4G9GSI5cAJ4M9kQUdm3dz3vTO2EZMb+7G51lqDZ4nOkTRNgLCPU5khbH
         Bv0t2ZTGzX+E3q8d4lF/OYAieZVTuD02N2+mc29f/yKTBgPI3mMDcg3WFx0QqstjpVJ6
         PcMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1760705272; x=1761310072;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=6Y6Dl65pJRco908FojQuuv72Ac6WkXxH/ZwZH15RDpw=;
        b=DGaYvJrXnf0nLs4/Gq9cVPOSe4IBmvTOIomh6XzTWgnaH0GJPwl8GSxJfA4CrazplK
         wsmItcG99rbza4g3qe9ZHO9N8azysqF0U+gBh1W5OVY0BT7HSYKieFJ40bZnAFtpGpur
         8TQET09GB8jOEJNCSf2ok2Oc8Q6lm5Brr0cjNkiW3OpaNkv5IHvWQvJoeHaHnAZ1Kb3m
         B7Dxc1pHNKaIUgBSG/V5WRrmUQGdfXeZEXkhvj/ooJLsRTS6sFedsTtXY8E2NOOoGCUl
         qCTfgmEYI8KYkvtGzw6jUDr4EWKDeOehbJjVGK1GQuWXj+xBVRWWQ5UseWph+fKUZB62
         PXfw==
X-Gm-Message-State: AOJu0YzOcXetWXD80t5IAF12mYj9TzQQxFl6ahczGEjzVHLdJr9JnyR5
	CXxcQjcC0+NNi/gKjEAG54Lx7CBwgQduN/stLSDlfofqTpW8S9VjYC5/sZSFDZBsNsAvXP+uIj3
	iK+C1+lN3kgzWSHQXL2Ut/XslJIhbYlV5kArn
X-Gm-Gg: ASbGncuLZ/itMERWlWgipzWIBF6a4+CODaNHPJyQGokfH+uV1DB8NTXyj3UVz4zpZJn
	yD0Z68kI2USgYexhBJMlHBUdprbc318wfj+fqe8RVUthG7WU5QhYbPrH3BGZ3KnHT3sqOu2tcUC
	8N0Qm7pPS4QzCCdZy0S7fAxqddo8RXBjeW37JLgeiHs+TdTKaruW/CdhWzKu+1402Zkd/L6YcGB
	NFisVSbV3/ITLM7+kQ7RTijal9Ci4Gm+R9T71VIP5pPr7LxDUfL5Y/ZjPj7Zw==
X-Google-Smtp-Source: AGHT+IHEQGtKYRzl7xif2E+7IEZPtoA2og/68WvA+jKpXsLlT7iBdFtWA4H/GKNRsVMorENc8wzoZgXziZoFYCq9UQc=
X-Received: by 2002:a05:6808:13c8:b0:43f:95b5:66e with SMTP id
 5614622812f47-443a2dd86f6mr1647780b6e.14.1760705272217; Fri, 17 Oct 2025
 05:47:52 -0700 (PDT)
MIME-Version: 1.0
References: <CACgMzfwSDRF+kQr59h0-xGUobCeFZxwVzE_tUxF18DkVb+vuDQ@mail.gmail.com>
 <CAKAnmmKDCOdUT5JtJZz5papMO0zW1cnG4934d6aQVCQ_KdbUeg@mail.gmail.com>
 <CANzqJaA41CzNjkiQex+A0u9z11i6R3WQZJ+fkXfJO7VJwOMWzg@mail.gmail.com> <a1dae4a583d560a90c67872b766ead02ddb13e51.camel@cybertec.at>
In-Reply-To: <a1dae4a583d560a90c67872b766ead02ddb13e51.camel@cybertec.at>
From: Ron Johnson <ronljohnsonjr@gmail.com>
Date: Fri, 17 Oct 2025 08:47:40 -0400
X-Gm-Features: AS18NWCPJclSeEoqROeyfiplaKRdgCvHny3umXkcUkV_8OQCFjA2aQ0ju-FSwtg
Message-ID: <CANzqJaD=O-tsy7DWGTkT-mzyk_rQ6VrDGYTFYFY1oK65_n-hCA@mail.gmail.com>
Subject: Re: Enquiry about TDE with PgSQL
To: pgsql-general <pgsql-general@postgresql.org>
Content-Type: multipart/alternative; boundary="0000000000004e074906415a2442"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CANzqJaD%3DO-tsy7DWGTkT-mzyk_rQ6VrDGYTFYFY1oK65_n-hCA%40mail.gmail.com>
Precedence: bulk

--0000000000004e074906415a2442
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Fri, Oct 17, 2025 at 3:01=E2=80=AFAM Laurenz Albe <laurenz.albe@cybertec=
.at>
wrote:

> On Fri, 2025-10-17 at 00:49 -0400, Ron Johnson wrote:
> > On Thu, Oct 16, 2025 at 6:05=E2=80=AFPM Greg Sabino Mullane <htamfids@g=
mail.com>
> wrote:
> > >
> > > TDE, on the other hand, is a very complex and difficult thing to add
> into Postgres.
> >
> > TDE was added to SQL Server, with (to us, at least) minimally-noticed
> overhead.
> > Oracle has it, too, but I don't know the details.
> >
> > The bottom line is that requirements for TDE are escalating, whether yo=
u
> like it or
> > not, as Yet Another Layer Of Defense against hackers exfiltrating data,
> and then
> > threatening to leak it to the public.
>
> Bruce Momjian has interesting things to say about that in
> https://compiledconversations.com/6/ (unfortunately I don't remember wher=
e
> exactly in this 84 minute piece).
>
> It is a feature that users want (or need to comply with whatever they fee=
l
> they have to comply with).  On the other hand, it has very limited
> technical
> or security value, which hampers its acceptance into core.
>

I gave you a reason: "Yet Another Layer Of Defense against hackers
exfiltrating data".  It's the same reason PgBackRest encrypts backups.

--=20
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!

--0000000000004e074906415a2442
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Fri, Oct 17, 2025 at 3:01=E2=80=AFAM L=
aurenz Albe &lt;<a href=3D"mailto:laurenz.albe@cybertec.at">laurenz.albe@cy=
bertec.at</a>&gt; wrote:</div><div class=3D"gmail_quote gmail_quote_contain=
er"><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bor=
der-left:1px solid rgb(204,204,204);padding-left:1ex">On Fri, 2025-10-17 at=
 00:49 -0400, Ron Johnson wrote:<br>
&gt; On Thu, Oct 16, 2025 at 6:05=E2=80=AFPM Greg Sabino Mullane &lt;<a hre=
f=3D"mailto:htamfids@gmail.com" target=3D"_blank">htamfids@gmail.com</a>&gt=
; wrote:<br>
&gt; &gt; <br>
&gt; &gt; TDE, on the other hand, is a very complex and difficult thing to =
add into=C2=A0Postgres.<br>
&gt; <br>
&gt; TDE was added to SQL Server, with (to us, at least) minimally-noticed =
overhead.<br>
&gt; Oracle has it, too, but I don&#39;t know the details.<br>
&gt; <br>
&gt; The bottom line is that requirements for TDE are escalating, whether y=
ou like it or<br>
&gt; not, as Yet Another Layer Of Defense against hackers exfiltrating data=
, and then<br>
&gt; threatening to leak it to the public.<br>
<br>
Bruce Momjian has interesting things to say about that in<br>
<a href=3D"https://compiledconversations.com/6/" rel=3D"noreferrer" target=
=3D"_blank">https://compiledconversations.com/6/</a> (unfortunately I don&#=
39;t remember where<br>
exactly in this 84 minute piece).<br>
<br>
It is a feature that users want (or need to comply with whatever they feel<=
br>
they have to comply with).=C2=A0 On the other hand, it has very limited tec=
hnical<br>
or security value, which hampers its acceptance into core.<br></blockquote>=
<div><br></div><div>I gave you a reason: &quot;Yet Another Layer Of Defense=
 against hackers exfiltrating data&quot;.=C2=A0 It&#39;s the same reason Pg=
BackRest encrypts backups.</div><div><br></div></div><span class=3D"gmail_s=
ignature_prefix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signature"><=
div dir=3D"ltr">Death to &lt;Redacted&gt;, and butter sauce.<div>Don&#39;t =
boil me, I&#39;m still alive.<br><div><div>&lt;Redacted&gt; lobster!</div><=
/div></div></div></div></div>

--0000000000004e074906415a2442--