public inbox for [email protected]
help / color / mirror / Atom feedFrom: Christophe Pettus <[email protected]>
To: pgsql-general <[email protected]>
Cc: Kai Wagner <[email protected]>
Cc: Laurenz Albe <[email protected]>
Cc: Ron Johnson <[email protected]>
Cc: Bruce Momjian <[email protected]>
Subject: Re: Enquiry about TDE with PgSQL
Date: Fri, 31 Oct 2025 17:16:09 -0700
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <CACgMzfwSDRF+kQr59h0-xGUobCeFZxwVzE_tUxF18DkVb+vuDQ@mail.gmail.com>
<CAKAnmmKDCOdUT5JtJZz5papMO0zW1cnG4934d6aQVCQ_KdbUeg@mail.gmail.com>
<CANzqJaA41CzNjkiQex+A0u9z11i6R3WQZJ+fkXfJO7VJwOMWzg@mail.gmail.com>
<[email protected]>
<[email protected]>
<CAG0qCNhL=SEB4vc4v48PxN1F-t8htC463TpX7KDNWQ-s3s8dtA@mail.gmail.com>
<[email protected]>
On Oct 31, 2025, at 07:54, Bruce Momjian <[email protected]> wrote:
> So it seems we have somewhat of a stand-off, with the Postgres project
> questioning the value of TDE and the PCI writers doubling-down on
> specifying disk-level encryption as insufficient.
PCI definitely exhibits a preference away from disk-level encryption, although it doesn't prohibit it: you have to make sure that simply mounting the disk doesn't decrypt it. Their concern is that if user credentials are compromised, and an attacker then has to do something else in order to see the plaintext. This kind of implies TDE, although they don't use that term.
Now, the road forks here:
1. If a customer wants TDE and isn't interested in hearing about other solutions, then TDE is only thing that will meet that goal.
2. The PCI spec doesn't specifically offer up TDE as an alternative to disk-level encryption, though. It exhibits a strong preference for column-level encryption of sensitive data, which doesn't require TDE.
In some ways, there's no real point of discussion. You can comply with PCI without TDE (I would argue that, in fact, you are in a better position with column-level encryption), but if the organization wants TDE, then the technical arguments rarely matter.
view thread (36+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Enquiry about TDE with PgSQL
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox