Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1vEzQ4-005fAS-ET for pgsql-general@arkaria.postgresql.org; Sat, 01 Nov 2025 00:24:35 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1vEzQ3-002BKw-EF for pgsql-general@arkaria.postgresql.org; Sat, 01 Nov 2025 00:24:34 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1vEzQ2-002BKo-VV for pgsql-general@lists.postgresql.org; Sat, 01 Nov 2025 00:24:34 +0000 Received: from mail-westusazlp170120002.outbound.protection.outlook.com ([2a01:111:f403:c001::2] helo=SJ2PR03CU001.outbound.protection.outlook.com) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vEzPy-004om1-1l for pgsql-general@postgresql.org; Sat, 01 Nov 2025 00:24:33 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=vVUP1AmI7bictU7+Sw5ObZT//zrDgVmUes1PK1hhmdFy3lWjDP9yaUiSwrAvG2oYbkRce2Lv8JAc+qTGBqroAhMzXn5qudanU2cc2npiKdyEzfYGkFxk8SJ0MkRYaPsrCUJ7FZ4jwZGXJqlBg9kefpk7ZyhKWbBYfOFyjSY1BW3G4JRZ+ANd94M6QljZFkYrIIqmo0IGOyHEr5nzJzEffAiF7C8YdSp2ij28K1bB8IZ889Is9lU4E7kPqpkHi4UZjsctuPrKyOQMCbECiyZ7bnWKYMUbx7qL8VVZ7Dyn8+68nZGdO7HkMuuIHvrGDHX+r3Coa2BahWMSK95mTWhpDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=274Ia49P+/7oIaInAm0y0fAvXvYl/MSobKburwcSUNA=; b=BAkufdMTUmiIUtdEdtBeFiCF+fbwGhcWs6k4t0s6e5eDfgqqYndMsgpmwHpl2SJpbs5B0rNF4aDahpzCCzqiNzQBxk6EOVf4kP16OjjIlRPuWteffBeDBjlqzjhTyKX0boqDEvkLlZ640WTqLkEWr2HZ5hlLaHySP7koDwvxkc9ZnLUSHyq+fcLgvIcrkgBGVctfJhLgsODiDgBx+Q8irCqV03t7+IzNfclrY1HGjiLEgtQUby4XWsA2Al3I0NN92vG+Er0Z8bw1EtU3KTOUSfEvgnvbMR/PvT2NkiJ4rL62ZrliAz+Ees3jQazHM7t2F9U+SHu7GsGP2a+AzR5BVA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=quest.com; dmarc=pass action=none header.from=quest.com; dkim=pass header.d=quest.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quest.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=274Ia49P+/7oIaInAm0y0fAvXvYl/MSobKburwcSUNA=; b=K2XuO0pdQgvvlfvMEm6UWv+qRovpISK2K/kSqvdns1X/bQM14NgBcfRsP837DG6a8S61Mre6ErQ1m+7GZ2STeQ3fgzBTxpZCmlCqVWi5DhmCa+A27PmicnsFdBZoNjCFZIKgNk09Roknay9DT9EEMloSJmnalmKcfyu0hmRE0qMl/5s/V95xMQI7v+oD+EUlkjETZVlyT1IT3IRVxAvepTITYRnFLWziY8tfCrjfUcLRw3KRuddaS+aljO8O9rbzQcwVVR+ixgAPBbQ7fM2qNKqJD1OlH7w5EnG0C5SfPzcAerPLH03w34ebE+1yWh8fGuwxoslH6Xj7QSMtPCpKPA== Received: from CO1PR19MB4984.namprd19.prod.outlook.com (2603:10b6:303:f5::12) by DM4PR19MB6175.namprd19.prod.outlook.com (2603:10b6:8:b1::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9275.12; Sat, 1 Nov 2025 00:24:25 +0000 Received: from CO1PR19MB4984.namprd19.prod.outlook.com ([fe80::b141:c67f:7499:f58a]) by CO1PR19MB4984.namprd19.prod.outlook.com ([fe80::b141:c67f:7499:f58a%6]) with mapi id 15.20.9275.013; Sat, 1 Nov 2025 00:24:25 +0000 From: "Clay Jackson (cjackson)" To: Bruce Momjian , Christophe Pettus CC: pgsql-general , Kai Wagner , Laurenz Albe , Ron Johnson Subject: RE: Enquiry about TDE with PgSQL Thread-Topic: Enquiry about TDE with PgSQL Thread-Index: AQHcPFne1JzuDE18N0KxA2R/9Mt46rTFWROAgABw9QCAACUYAIAVR7UAgAEuQwCAAA6oAIAAnP6AgAABXwCAAABTwA== Date: Sat, 1 Nov 2025 00:24:25 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=quest.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: CO1PR19MB4984:EE_|DM4PR19MB6175:EE_ x-ms-office365-filtering-correlation-id: 4a8a9dbd-a3ac-431a-34cb-08de18dd0369 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|376014|366016|1800799024|38070700021; x-microsoft-antispam-message-info: =?iso-8859-1?Q?EqNwrjTumb46915vlmfm211Mzqd0QQK4amtdS4ariXB2to1YSj28xIgeKD?= =?iso-8859-1?Q?BrScIz2NI/aMABGbGRq3fboYMh6AU5wF+nliQyZhb+k/brrTwhQAB6mQo5?= =?iso-8859-1?Q?2yq9J5XUg3MXENrb9/TlrAYewb65+KptdamD0vey1PM2Pj+/4FYTOcrqwm?= =?iso-8859-1?Q?VtWY6ZPy8WQqDEmyaAoBUfq4ZSxoqeRBvbGyrxatrKClD2+0Lkx0rJU8sE?= =?iso-8859-1?Q?ZzEA9HlxmweW4G4rO8ut5m4iSW0OyGT4cfTbGd3G65luCpmM1kBBbXJw9o?= =?iso-8859-1?Q?emijlnwjUinFsDjCgtuJdGhF3GiPDvvdkzrDlwYTVoVKF9xlXk9Rf1greh?= =?iso-8859-1?Q?uscDytOdf648PtVIvSSoJgNwl1r5u0nvW6S2rB4X+HtQ4tGWWRkrjXVloV?= =?iso-8859-1?Q?SguEWhEdYkOBtMEyJYbeAbdHSBGbQFHGjUPr/avMJI23em+vsJOADhB0hG?= =?iso-8859-1?Q?0g7P+EnK7pvt4h/8e1IYhfvks/ZKMMrJlN8M9HS7FKyIA/kGV9HvWcV248?= =?iso-8859-1?Q?eg3MsK2p0l1YB2PmrqAPUGj8P/Vxkh3CxH0nSI0w+BtNZjH7me4WmhkrTG?= =?iso-8859-1?Q?ndW0OBWLmdvb/qjYCkNjov0pIJ5GVeuzMJqFZq/4pLm3nuLujuuJw9tIA8?= =?iso-8859-1?Q?msKy+fzkKOql5HKjxWqXGFNRRrRfwHOk9QMw/Pyf+kwhgrqCdo2A/ZX4xG?= =?iso-8859-1?Q?8qcZc+e8g+jMp4LnjGhpG/cphTh9811iPR62skai8KuEnkZQNuc5osYcS/?= =?iso-8859-1?Q?Tnw58qQpGDF0tSG+4cgBSEZ7CtpNCgNy72LRx39NT2dZTKwZWepTD23Tde?= =?iso-8859-1?Q?RW9nycIuEpO1RzykQ+Cx6eKnxrChhKnH0BsltztXnIpKOgbZWEVz6haQzw?= =?iso-8859-1?Q?gaiSXMKgIu4QovB2hrmS2Ck8mB9AcdMH5bXpfrqP68QZ+neLuVI04PzZPI?= =?iso-8859-1?Q?9QjYyaskfc9RZzfjPVSdcnQZr4wh8sxmbeGSXEYf7QfEQrXUsvxXHCczR7?= =?iso-8859-1?Q?SH1fjh5SNYGD2AgBeA8J0meh4vh91+dT31IWJeCT+DyvsFuoIOpFnSCRIE?= =?iso-8859-1?Q?70eltQOA89Yf3uvqCs52tGewQnsXqIFHHAHT1KVDk3W/37G4deiu0D1M36?= =?iso-8859-1?Q?EsniVohjGLPGZCBGsUV+Gje3nMnvqoBiD1z/2uSW9TdH0uc3xIlprU58FE?= =?iso-8859-1?Q?ZiqmeOnV5UUoDut2GWiMkO/v88fgvqAzXSRkYZeLUwyJsqiyQR6MXdqrLQ?= =?iso-8859-1?Q?vmf0T98NwS3Md02eateCt7C7T2wdYfOrfET89GRYBGoKtUCoz7gBLSn4Ch?= =?iso-8859-1?Q?lYOuq0w8Jz52V/wKVIfpUzfg/77u8N6FlLtq+Etwleppa0LUlcjX/ZX+aB?= =?iso-8859-1?Q?FTymcdyW5NuD37MYfRtcff15oR9OnTsbIGFTO+uPl1pNzQHtv9qYtVl7Df?= =?iso-8859-1?Q?8dFjF3btSc2XR5wx/seCHfH8jQTJUOufSLSjwyUfsaQCf5AOnshcjU6Tt+?= =?iso-8859-1?Q?oTu4ES422nN61KgBI0+AjCWXi9nTvD1/FI4A+eM2FVTg=3D=3D?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO1PR19MB4984.namprd19.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(38070700021);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?Uz4u/565DiKsmLo+WYFVPJpyVJuToIzj6tRYJGN9fSXVEqYlidjKEwI09y?= =?iso-8859-1?Q?QSjWA4q3zfYxkLg9luckD0wGciNnWugHjP7luHdhlEyQQaE/oc4zKGNWjC?= =?iso-8859-1?Q?/AzRoWA81nes70MS2FwCBWKFeJsMyc1Rew0etQx3A5fNxDgQj+DVJaHmdL?= =?iso-8859-1?Q?kn3kTAIOi3VPd88y8cqX5IlQosi89ieIrrJRA9OQ0LbdD3yVtxHtceUJz8?= =?iso-8859-1?Q?UBEZ2fkOPJQk6qp92amUVLDWnVOG1kjb0K+YbKu3IILe4SdbefFlhVFUjS?= =?iso-8859-1?Q?ewqrJzB3DLbdIDa4cVdVoyRjt5UAOwq95OHzIMFXhjsRWN9avPsJD/WfB3?= =?iso-8859-1?Q?gbi9wFisesWFuOGkz5xX4yMxYjObThV1I3oILB/WYaZRX2chC8M8NzDTEf?= =?iso-8859-1?Q?UyMJbDjk0OIpwqlJMZQqE9ZrWtcWUt3w4haBejJgNCgTBhITfjWdZE19Dy?= =?iso-8859-1?Q?V5GuDgKOH7qvqL2QcSadlfwW7sbhJbshDQ9yzmhnhgDTzNowW1rtzfxKQw?= =?iso-8859-1?Q?vEKKOp6HKB63FB2TyK+l2TTPnBht+fDxQa9zoFW7nowF4hh2MFt/jQc4vj?= =?iso-8859-1?Q?QYb4TatgTCqMxainoqEuOBjtAMXtTQubxRT3t5NeSs83NMan68cN5YV+Sr?= =?iso-8859-1?Q?rZpGPMRvhaEvO/6fvu6nCJJYgzj7Opi+IgzaZ2BLraJaR1cumTTO2NKy74?= =?iso-8859-1?Q?ckUUNguQnyYaROH/w6ODicsdFPdHuRmTn942985RuPOqg3cHrePw5D8CJF?= =?iso-8859-1?Q?HxSKHQwgD6ht7BN2tfKAGUB0EKqc/hXgzwWt/RXrwTQlLTu8nQL0GCwXza?= =?iso-8859-1?Q?pu8IG1iAJCFhtWajphxIT6fWKePjViTTXQDokJKo/Jo/3ubkwdF4VU89iS?= =?iso-8859-1?Q?duu1w60b1y9PfxDAm/CHvxkajZCgpRCFwsS8ftKfdctkoHVku5hboMiSC+?= =?iso-8859-1?Q?hXcbLgSvGjL+EwdQIz5f7B7ApUQ7xAc+aZkjNvSzW0+xkrDRIbUs+t6vLP?= =?iso-8859-1?Q?qKHQxOk5A67EJTVfQ0xjZvZ0ohEekqaWTGq8oCnUw0uPV0wPbOePR4MHOl?= =?iso-8859-1?Q?grcafnuCGzprwuIoKVUovEQCg9W8vhhWB7x3cXt8CFxoPmS7Fj/HYcr9xe?= =?iso-8859-1?Q?i16YF3XSpRFlr4pYwU27CJjkHqTuuObiMk6t9u5sCbwn/lfYpQ/59uZX5z?= =?iso-8859-1?Q?J4wq/ZmywfSlMkICu7QnrrAc2yBdP0RHj06Xroq1uEhS+TE6yMX4l+OpuE?= =?iso-8859-1?Q?bHe0r2LXTMbJkHgGk/Cb2Y5I/mYG7m2C4ZJYY6/rQ+fhU7YPyRivnV4jhc?= =?iso-8859-1?Q?ag3pkMfaL5YvqAUBVZ8tSY7nXRSDwaf438yD7b/P3nXzNLvu4YgQFwfLiT?= =?iso-8859-1?Q?HnTSiB0/57HEzY8qaLwml7GqQ+qQE87qBfQUP1pgNW+hY5DpywFM/No0cV?= =?iso-8859-1?Q?9cexiML5M7YK7YW1hlTJ46LRAZGuWuxMPZYNpinaJJ3lqps1lYC8IhFwyX?= =?iso-8859-1?Q?3ju2M9vgtuqc1nKL1MmORDVDeIfUZAdEx+OzYMeIJuMwJgiBgyT3WnsAzU?= =?iso-8859-1?Q?VGzBjhxn5933FMLvNarA5a69rRS6BHcfHvhAdF7JfYGZIyHHXqORsXNf/s?= =?iso-8859-1?Q?RW0+uEukCOszQKkM+86xKKqJyLxlxD/mOi?= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: quest.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CO1PR19MB4984.namprd19.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4a8a9dbd-a3ac-431a-34cb-08de18dd0369 X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Nov 2025 00:24:25.6980 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 91c369b5-1c9e-439c-989c-1867ec606603 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: j+jhqfJAseAG3ruF3EvCGjYGDxaVKHj6AKCBHEKAoTCwsPoesNKeUQc/Yht5RFwrkPL5LdZlP9U/wbtU7yrcsg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR19MB6175 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk I can't disagree - but the question them becomes, as Markus and other have = pointed out; would that allow a customer/user to check the "Encryption" box= for PCI or any other "compliance review" Clay Jackson Database Solutions Sales Engineer clay.jackson@quest.com office 949-754-1203 mobile 425-802-9603 -----Original Message----- From: Bruce Momjian Sent: Friday, October 31, 2025 5:21 PM To: Christophe Pettus Cc: pgsql-general ; Kai Wagner ; Laurenz Albe ; Ron Johnson Subject: Re: Enquiry about TDE with PgSQL CAUTION: This email originated from outside of the organization. Do not fol= low guidance, click links, or open attachments unless you recognize the sen= der and know the content is safe. On Fri, Oct 31, 2025 at 05:16:09PM -0700, Christophe Pettus wrote: > On Oct 31, 2025, at 07:54, Bruce Momjian wrote: > > So it seems we have somewhat of a stand-off, with the Postgres > > project questioning the value of TDE and the PCI writers > > doubling-down on specifying disk-level encryption as insufficient. > > PCI definitely exhibits a preference away from disk-level encryption, > although it doesn't prohibit it: you have to make sure that simply > mounting the disk doesn't decrypt it. Their concern is that if user > credentials are compromised, and an attacker then has to do something > else in order to see the plaintext. This kind of implies TDE, > although they don't use that term. > > Now, the road forks here: > > 1. If a customer wants TDE and isn't interested in hearing about other > solutions, then TDE is only thing that will meet that goal. > > 2. The PCI spec doesn't specifically offer up TDE as an alternative to > disk-level encryption, though. It exhibits a strong preference for > column-level encryption of sensitive data, which doesn't require TDE. > > In some ways, there's no real point of discussion. You can comply > with PCI without TDE (I would argue that, in fact, you are in a better > position with column-level encryption), but if the organization wants > TDE, then the technical arguments rarely matter. I think column-level encryption, on the client side, actually does improve = security and is preferable to file system level TDE, and I think many here = feel the same way. -- Bruce Momjian https://momjian.us/ EDB https://enterprisedb.com/ Do not let urgent matters crowd out time for investment in the future.