Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vifw1-00Cvnx-0a for pgsql-general@arkaria.postgresql.org; Wed, 21 Jan 2026 21:40:17 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vifw0-009brr-04 for pgsql-general@arkaria.postgresql.org; Wed, 21 Jan 2026 21:40:16 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vifvz-009brj-1n for pgsql-general@lists.postgresql.org; Wed, 21 Jan 2026 21:40:16 +0000 Received: from mail-pg1-x52d.google.com ([2607:f8b0:4864:20::52d]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vifvw-001eyx-2R for pgsql-general@postgresql.org; Wed, 21 Jan 2026 21:40:15 +0000 Received: by mail-pg1-x52d.google.com with SMTP id 41be03b00d2f7-c61342a69b9so96081a12.0 for ; Wed, 21 Jan 2026 13:40:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1769031612; cv=none; d=google.com; s=arc-20240605; b=Pg6FPr5beYi5uDLxR5px5dXoFai/E/hJ44BS5WD2GKlgK2XNble8WBwEIF5aK+rd51 pdxR49ksZrsBOiKR8oHgbJPUIyrsaBllzEvoRq6zz/3ZZLN9qlwK3fT/EKPBJn3gn/wO 0A32C292Udzv/auU18CSyjvtKB3e/a+vRPKMEsNHRRxYSP/hlG4agB+9Vj5OQ6HYAsw1 hLFYLLcSPW9jZiwVib9xRRH/77UvU4inAGKl+k1peqm2kW+2LUjw9+LFjIWi96vbae+8 Or+T+mEjb8XZJ5mwCUfimwbB52lJJbpt9zHqnLus75zHdZdOkNFgPs1czAytX8XeafaC Zi2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=NI4lFIQ0NAIJg1WS0XrPGuEr443R6crOHWxPWByrByg=; fh=KNSq+t9BltSXFnT3Yof/aKGBtqxeA+bTALiYdvTslaY=; b=DBPMijR5gzpAnNyDe1O3v0sfJD3B47F/0A9SBbpCGmrmcXelf3r+RKqoBv20PQ69MU FQAzFYilwae4VY6P20D664y/B4ky97RpnN5B2nehp1EAKCyNJJds7pkY1DnWPFvWYaxI 3sA9M3p7Xt16OmlnRjHO3G1oeMPponnYK/PVSoMEuHgs3+wQa/iNghrI7G52B9kePURN PBJpbwkHxgkUmEgs6jdVgNpXu/mJ5F7Qz79W98Pswi6b7G/583x2QZFh4WlEVnrKNEw7 045mqN9MQNOBpAH0G1ty9ruOvOOfbOLqwsipXb5fejED0+9S9ZVE3zBmAky3Sz4pIsPs 6NvA==; darn=postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769031612; x=1769636412; darn=postgresql.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=NI4lFIQ0NAIJg1WS0XrPGuEr443R6crOHWxPWByrByg=; b=C7evnsvOZqs+Y+3UvF6R72fuNgxfTH2T7ZZethOO5tcZGuTBBPzFG7u/BRnpPFHLrp UxbwHGCQyqo6pFkdRJ5ZhchP8HY6LsKFvTEfpMaKBWfO9dWXAx/obEZV3IuWYsAbzLaD PrvhLlxUPMTNaOh8/m3q4VBZcoGSh1US0kO3JkM03rXZGRwllJxpj4MM5LHBb8Zn4ybJ HMML89zE8nUTZxlD5Y1/mLJDARO8oegXru4Ze2KlLGpHODEoG3NSRSJeF4ZJbtBE7Y0V H2qubZcmrAVVhRAv+YLQVI6Sb8s3/1kf7ybsAzz6U3jGFGklrHZ8xl8CxXMnpgkq5qDJ tqwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769031612; x=1769636412; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=NI4lFIQ0NAIJg1WS0XrPGuEr443R6crOHWxPWByrByg=; b=bIwKvW1eZCdsI5pltWXoDGigfmn1FNXoPheYKnzPnPXJnJsfbroHTX+JjiwQ6kXeTK /1WVDzg17d5WUd3YoSwbOevEu+KJBcsGzDDJNUv5gqrVXVcRztkNKijuexZzx1MKOVjy YwfEl3hDRal4yc5zXHkf6SzifMEzxF3w/WB8CW4FXdZfw6fOIAXLvrHjZKDksPrC3zFR TptkIL8SolNLidu2znyR4lu8hJH4hdmZQwo39SIx5VdPNV/kU+RhLxNoH1/M6LAJ138A ET70i+r0LLP5tLExYTsQxvu6eKdEJIMaBIToCl4jFcVIiogNcegmMkSpMrzhwNEKe2qF LpDA== X-Gm-Message-State: AOJu0YySHBOjz5kxkYeqFju7NMqwnsyIQQAGp+U1Sprb9F3olymJEqkH qBSi3SzBiUVO7utXoxPDT063cWXxokA7/zrgx5nSo1Lz/FlQ9qEmfrPYjOnaUfkNFYLBlL6Jnlv 7WtZPXaAM36IGhnG3abnFgbYaLtCDPfhTFw== X-Gm-Gg: AZuq6aKXo/mbBNe7FyXywoSQvSsf+eiTV2i8qnE1ynvLpb3GQ6S/4cbJdRRJsmLPAU3 z8nj/7ndbh15e1fzOn9mHNlaYwWBbCgQDTVuClOq83XWWpwgoqI+pvF+peAnz5JIT2e+J14mgBt Nho+XS1kUPUKId8TZo3vU2pcH/onRzMTvpl5s6QdhEPFvPz9h8A9+aoLCSQ/+7wJae/GrBhKTqA tCpuRq46crI+rrWr3Mmu7gUFtwPC7i0C3wBHf5s82aIVfhY7bJcmd6ygrmoJg2bp86C1SM3+ISD +4iqs28= X-Received: by 2002:a17:90b:568d:b0:32d:e780:e9d5 with SMTP id 98e67ed59e1d1-3527323b1b5mr13144412a91.22.1769031612006; Wed, 21 Jan 2026 13:40:12 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Ron Johnson Date: Wed, 21 Jan 2026 16:40:01 -0500 X-Gm-Features: AZwV_QiwnQ9cSPFgZ5WNyrz9DgVnlu6KATeCmnRPaMccJHKTgdhRfNETuJE52V0 Message-ID: Subject: Re: Request for cryptographic mechanisms used in PostgreSQL To: pgsql-general Content-Type: multipart/alternative; boundary="000000000000d487c30648ecc43e" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000d487c30648ecc43e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable You can't write a document about your own prod systems without knowing what (if any!) cryptography *your* prod systems use. On Wed, Jan 21, 2026 at 1:27=E2=80=AFAM ManiR w= rote: > Hi All, > > Thank you for the responses and suggestions so far. > > We understand the suggestion to use an LLM as a starting point; however, > for our compliance and audit requirements, we would like to ensure that t= he > resulting CBOM is technically accurate and well-grounded in PostgreSQL=E2= =80=99s > actual behavior. > > Could you please let us know: > > - > > whether there are any *existing sample CBOMs or similar cryptographic > inventories* available for PostgreSQL (even informal or > community-created ones), and > - > > what would be the *recommended approach or steps* to identify and > document PostgreSQL=E2=80=99s cryptographic mechanisms accurately. > > If anyone has previously undertaken a *similar exercise* (CBOM, crypto > inventory, or security documentation) for PostgreSQL, any guidance, > references, or documentation outlining the *process followed* would be > greatly appreciated. > > Thank you again for your time and help. > > Regards, > > Manikandan R > > > On Wed, Jan 21, 2026 at 1:34=E2=80=AFAM Nico Williams > wrote: > >> On Tue, Jan 20, 2026 at 02:47:36PM +0530, ManiR wrote: >> > We would like your guidance on the *cryptographic mechanisms used by >> > PostgreSQL*, including: >> >> FYI this is the sort of thing where LLMs shine. I would start by asking >> an LLM to write this and then I'd have expert humans review it. >> >> Keep in mind that some of the cryptographic mechanism/algorithm usage is >> transitive via PostgreSQL's dependencies (e.g., SASL, GSS-API, TLS), but >> you might not be interested in expanding that (since you might want to >> do separate CBOMs for those. >> >> Keep in mind that some uses are not actually uses, like the PG crypto >> extension, which makes cryptography available to PG _applications_. >> >> You should also look at options to _not_ use cryptographic mechanisms. >> I.e., options to use cleartext protocols. Obviously it's much worse to >> have a cleartext protocol than one that uses, say, 1DES, even though >> 1DES is so weak as to be useles. Often auditors have a blind spot here. >> >> And it's important not to treat the presence of, say, MD5 as fatal when >> it's not being used for security-critical purposes. >> >> IMO, >> >> Nico >> -- >> > --=20 Death to , and butter sauce. Don't boil me, I'm still alive. lobster! --000000000000d487c30648ecc43e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
You can't write a document about your own prod sy= stems without knowing what (if any!) cryptography=C2=A0your=C2=A0pro= d systems use.

On Wed, Jan 21, 2026 at= 1:27=E2=80=AFAM ManiR <man= i.retnaswamy@gmail.com> wrote:

Hi All,

Thank you for the responses and suggestions so fa= r.

We understand the suggestion to use an LLM as a starting point; ho= wever, for our compliance and audit requirements, we would like to ensure t= hat the resulting CBOM is technically accurate and well-grounded in Postgre= SQL=E2=80=99s actual behavior.

Could you please let us know:

    <= li>

    whether there are any existing sample CBOMs or similar crypto= graphic inventories available for PostgreSQL (even informal or com= munity-created ones), and

  • what would be the recommen= ded approach or steps to identify and document PostgreSQL=E2=80=99= s cryptographic mechanisms accurately.

If anyone has previo= usly undertaken a similar exercise (CBOM, crypto inventory= , or security documentation) for PostgreSQL, any guidance, references, or d= ocumentation outlining the process followed would be great= ly appreciated.

Thank you again for your time and help.

Regards= ,

Manikandan R



On Wed, Jan 21, 2026 at 1:34=E2=80=AFAM Nico = Williams <nic= o@cryptonector.com> wrote:
On Tue, Jan 20, 2026 at 02:47:36PM +0530, ManiR wrote: > We would like your guidance on the *cryptographic mechanisms used by > PostgreSQL*, including:

FYI this is the sort of thing where LLMs shine.=C2=A0 I would start by aski= ng
an LLM to write this and then I'd have expert humans review it.

Keep in mind that some of the cryptographic mechanism/algorithm usage is transitive via PostgreSQL's dependencies (e.g., SASL, GSS-API, TLS), bu= t
you might not be interested in expanding that (since you might want to
do separate CBOMs for those.

Keep in mind that some uses are not actually uses, like the PG crypto
extension, which makes cryptography available to PG _applications_.

You should also look at options to _not_ use cryptographic mechanisms.
I.e., options to use cleartext protocols.=C2=A0 Obviously it's much wor= se to
have a cleartext protocol than one that uses, say, 1DES, even though
1DES is so weak as to be useles.=C2=A0 Often auditors have a blind spot her= e.

And it's important not to treat the presence of, say, MD5 as fatal when=
it's not being used for security-critical purposes.

IMO,

Nico
--


--
Death to <Redacted>, and butter sauce.Don't boil me, I'm still alive.
<Redacted> lobs= ter!
--000000000000d487c30648ecc43e--