Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1viHxW-002S8m-2u for pgsql-general@arkaria.postgresql.org; Tue, 20 Jan 2026 20:04:15 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1viHxV-002yyk-3B for pgsql-general@arkaria.postgresql.org; Tue, 20 Jan 2026 20:04:14 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1viHxV-002yyZ-1S for pgsql-general@lists.postgresql.org; Tue, 20 Jan 2026 20:04:13 +0000 Received: from gainsboro.ash.relay.mailchannels.net ([23.83.222.65]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1viHxS-001TXs-2X for pgsql-general@postgresql.org; Tue, 20 Jan 2026 20:04:12 +0000 X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 44889822709; Tue, 20 Jan 2026 20:04:09 +0000 (UTC) Received: from pdx1-sub0-mail-a247.dreamhost.com (100-115-15-174.trex-nlb.outbound.svc.cluster.local [100.115.15.174]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id AABF58221C2; Tue, 20 Jan 2026 20:04:08 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; d=mailchannels.net; s=arc-2022; cv=none; t=1768939448; b=Uc8WEeIf5OM/AmIFzDUDaVa72+vO4uNjDAG/UK9OCnKhQ7LIoHzc3KExlag/pOvagUwkTL gfOChqRkzxGE3OShugvYGEL9ct+3cTBcneZ0Jhanl8zsrMRSAgBwyRXAfZxl+WSo80OPt5 EavDQmxVDLe4Desl4NJqkpDp4lHGRRCx/cPJBWk/bvTLSFuZK4s+NZxqoK087Qp+l1UDYR NYSEmlA9Y1ius2fJG9Am2N9a4+4EOxUpBGZfzDhB49iIev2lAuK+QswfLZ/vRqgIeuTmtt 0l356epRRW6nAM3b96dZRX25Mks+0I6h0EchHypBGYrdFxwSnxsNlENc+dgvZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1768939448; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=SfJaLq8zFDGseWPhwrxjYyTQtWl3PEOETaQMCrEMlYU=; b=NT2JsOwpV2jY4YbrIfJGKOTzrriwZ9gMqtYF4U6wU7+uVdw+cNJA9xr3xYtQptkcztmt03 e9m0a/kZxZCRC8CuP9b8AWVkNgIng8K7Y/tqqbgrTTl9UG6MCWiy4NUlp6/vY9plm1eBFo RwWlkkEbzRXXUYnohf8G9tsAkxXADP4C5H3+pOhIjPuUvd9+8RMCAV7FGGFcLma3tQSCFA uYGuvA1e8W1q9zPq43YXqqe1DzuiLtSfGqQxYuUiUBqo+PEpovUc2bAk9XQPQunmmSpsei SveZeOZfBri8M6eokdvREbIVza3tUcB48Le2oQFiBcc3uycU20IepJXLA1oKvw== ARC-Authentication-Results: i=1; rspamd-7699b4d5f4-fs79s; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com X-MailChannels-Auth-Id: dreamhost X-Obese-Shrill: 0c38d0601ff17feb_1768939449135_2478752346 X-MC-Loop-Signature: 1768939449135:4236795410 X-MC-Ingress-Time: 1768939449134 Received: from pdx1-sub0-mail-a247.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.115.15.174 (trex/7.1.3); Tue, 20 Jan 2026 20:04:09 +0000 Received: from ubby (unknown [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a247.dreamhost.com (Postfix) with ESMTPSA id 4dwdZJ18Hzz106G; Tue, 20 Jan 2026 12:04:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1768939448; bh=SfJaLq8zFDGseWPhwrxjYyTQtWl3PEOETaQMCrEMlYU=; h=Date:From:To:Cc:Subject:Content-Type; b=MMo8hFTlbwj6pKdwxyVBuyI+B17OhKOrbjKgGpdbhLQ8TdmrnyCRvx4K4KrsTvPi1 k+xIs4Db0xqcrjL5WmWWDsOwAOkCYwlZqB9x6jQNMwMHDpS/pi+livCwtSmAdZt/UU 7+6D+eBsNlezcvB1A61tn84iw4CcTI6V3X0mUe9CV+yoZEhy/DULe+1tBJpMZb3BRP LwNF5P7DrEojLeKRky91d7QUC24im3tZAOC+Vqih0xVyMBHFBV2OaEpsEJno+lGGl/ VyVjeGR31Q7MOczpdiQ9m6+jHuVkdcUJ4JUwEPqHmgPXxo2iP5cnhn5awVyTysiX+n 9VKtYDA0CYNkQ== Date: Tue, 20 Jan 2026 14:04:05 -0600 From: Nico Williams To: ManiR Cc: pgsql-general@postgresql.org Subject: Re: Request for cryptographic mechanisms used in PostgreSQL Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Tue, Jan 20, 2026 at 02:47:36PM +0530, ManiR wrote: > We would like your guidance on the *cryptographic mechanisms used by > PostgreSQL*, including: FYI this is the sort of thing where LLMs shine. I would start by asking an LLM to write this and then I'd have expert humans review it. Keep in mind that some of the cryptographic mechanism/algorithm usage is transitive via PostgreSQL's dependencies (e.g., SASL, GSS-API, TLS), but you might not be interested in expanding that (since you might want to do separate CBOMs for those. Keep in mind that some uses are not actually uses, like the PG crypto extension, which makes cryptography available to PG _applications_. You should also look at options to _not_ use cryptographic mechanisms. I.e., options to use cleartext protocols. Obviously it's much worse to have a cleartext protocol than one that uses, say, 1DES, even though 1DES is so weak as to be useles. Often auditors have a blind spot here. And it's important not to treat the presence of, say, MD5 as fatal when it's not being used for security-critical purposes. IMO, Nico --