Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1vEqwS-001n5G-Vg
	for pgsql-general@arkaria.postgresql.org; Fri, 31 Oct 2025 15:21:28 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1vEqwR-00FYzp-TE
	for pgsql-general@arkaria.postgresql.org; Fri, 31 Oct 2025 15:21:26 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1vEqwQ-00FYzh-Tp
	for pgsql-general@lists.postgresql.org; Fri, 31 Oct 2025 15:21:26 +0000
Received: from fout-a2-smtp.messagingengine.com ([103.168.172.145])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1vEqwN-005GXz-0A
	for pgsql-general@postgresql.org;
	Fri, 31 Oct 2025 15:21:25 +0000
Received: from phl-compute-02.internal (phl-compute-02.internal [10.202.2.42])
	by mailfout.phl.internal (Postfix) with ESMTP id 0F245EC0083;
	Fri, 31 Oct 2025 11:21:20 -0400 (EDT)
Received: from phl-mailfrontend-02 ([10.202.2.163])
  by phl-compute-02.internal (MEProxy); Fri, 31 Oct 2025 11:21:20 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h=
	cc:cc:content-transfer-encoding:content-type:content-type:date
	:date:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm2; t=1761924080;
	 x=1762010480; bh=wxjB9Qu1Vq4SB6sFS8mr2+wtRHBQ4R3QmnqPODZT0SI=; b=
	jtKcdVRgAx0XixlRiM0Idmf2H6MmrjfvXP92QI8f7QAfT1kjrXu2kb6YSK74XaEt
	VKj+3Vii7r8OatcO9S3E1S4WdBtwP1dNSn3OdN1NgEGfT8JwGPPNwmPQNF0I1uU4
	wBE7vAC33Pua3jCYEBW5l0qGI4afxdygDx6BC4AdRd1KUbek5J11StjHnL3bAe9K
	bp9vP4+C0POt2KRVptX4dEjhOjJxUh58+xPfVMscYgJXErg4zW7FSUGpU6CY9rsr
	SXThHC0aCGsvoLw57zxMdZGBOEVq+tty3sg8U380fHN7+2Ygu5+EG+1onOGQo/Lz
	+YfhKt23bsrAoKEdmcZIIg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:content-type:date:date:feedback-id:feedback-id
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1761924080; x=
	1762010480; bh=wxjB9Qu1Vq4SB6sFS8mr2+wtRHBQ4R3QmnqPODZT0SI=; b=W
	8ikWoHJAY7K5/YC6TL25V88Z/FPvhwv5dItJKrGV366+IR2jEIfBe6rdFU7IRdgk
	NFgERvt7RoRcMTkSmI39GvRnFa5stgxfArjywgLR//u3kU8r6cVAcUHCuao4nUab
	HfItIUf+eY21Kn1bXhMoY4KfdZrQLyYUgWEh40bM1RVoB96c6g7FITHmVOtRXkAb
	IbEps+hZyu49eMIyCMpS2tdQbtrewGLzuoGjBQ+Dw4B2+3YcuPcHpNB5lUZGEyOS
	WdSD6DW7G77XvONoo5pcwzPMdci9uViYsz4LjdMmEgU7bkHAjTDe5knoog+QxivR
	26RhU66H7JXzrMfcTOpeQ==
X-ME-Sender: <xms:79MEaanZQG3VocJMT0FvFat5s3uiuUPsu0QweiwKJZ-IaQ9kkgvx6A>
    <xme:79MEadTQjEzfgC89WybosVdUbPn3mefeDQLdWVfAcznq0WygZrgtpeGkYMCVfJB4f
    2nRgXAC6mhue41ewmJG6hRREoIRZyalxUV6Z-4jnrHqKu5a>
X-ME-Received: <xmr:79MEacJ17v50sEQmuNMhjUwbVlfZpSUntJjG-N2hfdGisUGLDaDnCRAip7cgsBr6qgu6XUVCq-SYbKtBNEa-XM3CTl4jIg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggdduieelkeegucetufdoteggodetrf
    dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu
    rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf
    gurhepkfffgggfuffvvehfhfgjtgfgsehtjeertddtvdejnecuhfhrohhmpeetughrihgr
    nhcumfhlrghvvghruceorggurhhirghnrdhklhgrvhgvrhesrghklhgrvhgvrhdrtghomh
    eqnecuggftrfgrthhtvghrnhephfeviefhveelffeftdehudekveefhfeftdegieefveet
    fffgfeehtdfftedutedtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrg
    hilhhfrhhomheprggurhhirghnrdhklhgrvhgvrhesrghklhgrvhgvrhdrtghomhdpnhgs
    pghrtghpthhtohephedpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepsghruhgtvg
    esmhhomhhjihgrnhdruhhspdhrtghpthhtohepkhgrihdrfigrghhnvghrsehpvghrtgho
    nhgrrdgtohhmpdhrtghpthhtoheplhgruhhrvghniidrrghlsggvsegthigsvghrthgvtg
    drrghtpdhrtghpthhtoheprhhonhhljhhohhhnshhonhhjrhesghhmrghilhdrtghomhdp
    rhgtphhtthhopehpghhsqhhlqdhgvghnvghrrghlsehpohhsthhgrhgvshhqlhdrohhrgh
X-ME-Proxy: <xmx:79MEaTBWWa8mjZCMQOpP5_CZ70IMJub6D5vAw8k54wxky0OAAU9NsA>
    <xmx:79MEaVBly6OuFQrDVQxSf9DvBl8IrJwP7OD1gsxca9fJM42W0ZsjSw>
    <xmx:79MEaVAtAcZ4zX5QVYroVX0eyo9JHagEGHvGhqWgKfkdSdA03V3y4w>
    <xmx:79MEaQroC7jI1DMZpR_bQSh9sEhSJkvLGIT5du9D05efz5_OAUE9vw>
    <xmx:8NMEafgirWeM5N55aIcApoSu0NOauTnoSqlDF7bAgDkmKDNTaOYtfbKl>
Feedback-ID: i76984098:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri,
 31 Oct 2025 11:21:18 -0400 (EDT)
Message-ID: <df60c2f9-21df-4c04-a33c-5ae8ec74d431@aklaver.com>
Date: Fri, 31 Oct 2025 08:21:18 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Enquiry about TDE with PgSQL
To: Bruce Momjian <bruce@momjian.us>, Kai Wagner <kai.wagner@percona.com>
Cc: Laurenz Albe <laurenz.albe@cybertec.at>,
 Ron Johnson <ronljohnsonjr@gmail.com>,
 pgsql-general <pgsql-general@postgresql.org>
References: <CACgMzfwSDRF+kQr59h0-xGUobCeFZxwVzE_tUxF18DkVb+vuDQ@mail.gmail.com>
 <CAKAnmmKDCOdUT5JtJZz5papMO0zW1cnG4934d6aQVCQ_KdbUeg@mail.gmail.com>
 <CANzqJaA41CzNjkiQex+A0u9z11i6R3WQZJ+fkXfJO7VJwOMWzg@mail.gmail.com>
 <a1dae4a583d560a90c67872b766ead02ddb13e51.camel@cybertec.at>
 <aQPDvqUzZVKkaxsS@momjian.us>
 <CAG0qCNhL=SEB4vc4v48PxN1F-t8htC463TpX7KDNWQ-s3s8dtA@mail.gmail.com>
 <aQTNmM-3VeTRZdx0@momjian.us>
Content-Language: en-US
From: Adrian Klaver <adrian.klaver@aklaver.com>
In-Reply-To: <aQTNmM-3VeTRZdx0@momjian.us>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/df60c2f9-21df-4c04-a33c-5ae8ec74d431%40aklaver.com>
Precedence: bulk

On 10/31/25 07:54, Bruce Momjian wrote:
> On Fri, Oct 31, 2025 at 03:01:48PM +0100, Kai Wagner wrote:

>> With the PCI DSS v4.1 standard, one key rule to comply with is, that "If PAN is
> 
> Uh, I think you mean the 4.0.1 standard, which became active on January
> 1, 2025.  I am surprised this is only being mentioned now:

> So it seems we have somewhat of a stand-off, with the Postgres project
> questioning the value of TDE and the PCI writers doubling-down on
> specifying disk-level encryption as insufficient.

Yeah, what I would like to know is how many of the data breaches 
actually grab directly from the storage versus getting it through the 
database or other software above the storage? It seems to me social 
engineering plays a bigger role in this.


-- 
Adrian Klaver
adrian.klaver@aklaver.com