Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1vFwzb-0048LZ-Qv
	for pgsql-general@arkaria.postgresql.org; Mon, 03 Nov 2025 16:01:15 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1vFwza-005U8b-9x
	for pgsql-general@arkaria.postgresql.org; Mon, 03 Nov 2025 16:01:13 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <bruce@momjian.us>)
	id 1vFwzZ-005U8Q-Vr
	for pgsql-general@lists.postgresql.org; Mon, 03 Nov 2025 16:01:13 +0000
Received: from momjian.us ([72.94.173.45])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <bruce@momjian.us>)
	id 1vFwzT-005Evs-2h
	for pgsql-general@postgresql.org;
	Mon, 03 Nov 2025 16:01:12 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=momjian.us;
	s=2025010100; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:
	Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID:
	Content-Description; bh=0DkOx3iV679jR3s9h5uInL6aX9ooWYGjuHbuSS5Huqs=; b=K8cO7
	8xuZNwxTBxZYPTts8WeAE3ZmzrovdXbLpzHz5PopDzgxB7M2QLosjUX4bpxoO3r0BRYUhFdQKcPVC
	Sw2Ln813lIzqY5EZFIVRdcaKUKPUSgvdG/4Ep26/uAz3OhRDvWcDXsoXLWxVcBOt3za3zmh1rtyWT
	9WZNLHIq3YqAkxXqPteWTIoUdlItG7OUBtK4MIUlfpQL3DjKCn9ueUoI8B1w0pgIm7IawPyRq7Cca
	7AfV82c7jillrahFKfudsU7X14UzzBBjDVzCPQxavwCX/5kGKrnwN7sw+0E5yQmUHC2905GAl8uea
	AEhJVK3eAjilxfsweSXu18R7rIXMA==;
Received: from bruce by momjian.us with local (Exim 4.98.2)
	(envelope-from <bruce@momjian.us>)
	id 1vFwzS-0000000DEyU-2ZWr;
	Mon, 03 Nov 2025 11:01:06 -0500
Date: Mon, 3 Nov 2025 11:01:06 -0500
From: Bruce Momjian <bruce@momjian.us>
To: rainer@ultra-secure.de
Cc: Ken Marshall <ktm@rice.edu>, pgsql-general@postgresql.org
Subject: Re: Enquiry about TDE with PgSQL
Message-ID: <aQjRwvAWApnh8Xk1@momjian.us>
References: <3DC589BC-A5F6-49BC-BFFC-F1FCB0FF7E95@thebuild.com>
 <CAKt_ZfuwPgG_nJHp6S=8k_+NdA6Op7hE0z7+s4-HuBqr1cnwsg@mail.gmail.com>
 <CAG0qCNjd2m9Ej1ZEwuCCkgsqJz0vnso3ZFwjKCxzwUfnfu=SNw@mail.gmail.com>
 <aQYSAGEfd116_58N@momjian.us>
 <3985797c-639f-4825-9fa9-98a48b37f380@aklaver.com>
 <CAKAnmmJ4yRTb-TV=ik0aoEZsWzDzuKRgCjXFfF5DCzR5jiCQdA@mail.gmail.com>
 <aQZXgEH5pvEwKq+O@customer.dllstxx1.isp.starlink.com>
 <86C8ECFE-942C-4364-A5BF-3404D50CD661@ultra-secure.de>
 <aQjFXwQxDU70EEdW@momjian.us>
 <3a9ca8cf6bfa3916619ee8e2c8ff3e30@ultra-secure.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3a9ca8cf6bfa3916619ee8e2c8ff3e30@ultra-secure.de>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/aQjRwvAWApnh8Xk1%40momjian.us>
Precedence: bulk

On Mon, Nov  3, 2025 at 04:39:45PM +0100, rainer@ultra-secure.de wrote:
> Am 2025-11-03 16:08, schrieb Bruce Momjian:
> 
> > Is it the Oracle API they don't like, that Postgres can improve upon, or
> > something fundamental they don't like, or don't see the value in?
> 
> 
> I am not sure.
> 
> It just complicates everything.
> Documentation isn't thin, it's skeletal.

Okay, these are things we can improve on.  It think the API of my final
posted patch had a pretty simple API, but pushing that API out to
external tools will add complexity I didn't implement, and that
complexity could be a reason to reject TDE.

> And of course, actual support from the HSM-vendor for this use-case is
> non-existent.
> Same for Oracle.

Yes, my patch used shell scripts --- not sure if that is good or bad.

I will admit that companies are better at integrating with external
vendors, particulary hardware vendors.  There is an organization
mismatch betwween the community and companies, and the community
basically forces companies to intract on community terms --- companies
are a more natural iteraction for other companies.

> > As far as I know, there are two ways to generate the data encryption
> > key.  One is for the HSM to generate it, and then only the HSM knows it.
> > The other method is to create the encryption key on a USB memory stick,
> > copy the key into the HSM, and then remove the USB memory stick and
> > store it in a secure location like a safe.  The second method seems like
> > a better option to me.  Oh, and make a second copy of the USB memory
> > stick.
> 
> 
> The keys are generated on the HSM.
> There's HSM client you've got to install that manages the communication to
> the HSM.
> 
> The HSM should be backed up, too. Which is only possible by connecting
> physically to it with a notebook and inserting an USB stick.

The problem is that if anything happens with the HSM, you are stuck. 
The HSM adds an additional risk.

> Which begs the question: where do you source an USB stick with the same
> trust-level as the 20k-a-pop HSM?

I don't know.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  Do not let urgent matters crowd out time for investment in the future.