Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1vErCJ-001qWL-KC
	for pgsql-general@arkaria.postgresql.org; Fri, 31 Oct 2025 15:37:50 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1vErCI-00FupQ-H8
	for pgsql-general@arkaria.postgresql.org; Fri, 31 Oct 2025 15:37:49 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1vErCI-00FupH-5u
	for pgsql-general@lists.postgresql.org; Fri, 31 Oct 2025 15:37:49 +0000
Received: from fout-a2-smtp.messagingengine.com ([103.168.172.145])
	by makus.postgresql.org with smtp (Exim 4.96)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1vErCF-004l3c-0u
	for pgsql-general@postgresql.org;
	Fri, 31 Oct 2025 15:37:48 +0000
Received: from phl-compute-03.internal (phl-compute-03.internal [10.202.2.43])
	by mailfout.phl.internal (Postfix) with ESMTP id 6365FEC0070;
	Fri, 31 Oct 2025 11:37:46 -0400 (EDT)
Received: from phl-mailfrontend-02 ([10.202.2.163])
  by phl-compute-03.internal (MEProxy); Fri, 31 Oct 2025 11:37:46 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h=
	cc:cc:content-transfer-encoding:content-type:content-type:date
	:date:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm2; t=1761925066;
	 x=1762011466; bh=8DjEnNKbZSgr+FJkOE7F8bKOo7d8cOM/NnzfxnEPW58=; b=
	kK4BKdXbO99oks4xzTqoRlbRfJQvR6L6EF+Aioq7GbZ5+HKvSziNgeFw9NiOneFt
	Ssc8LPSbWTSMt1MVTgBavJxnca7APTB+kusx1iO5J0F2FTrg03xQ2Kjnh60JK4jO
	yMBskRBc8Lu47VKzAwkncxbYp/KBS18/kQgM7psioH3A2JGgjEniMJmhYKtOU+px
	Kh96XMRCGeMM4CgbM0rwdDz/9zDNZb5AJQrXM6uxOKCsafZZaUtw3Gj7OOP6RQAv
	WCx9nVrTRcbLIsv5xAhHcvSaIzkr7WrJXlAurDvY27h19RHXX+6hLRyy5HAjXE9Z
	fQ5W06wdeC7FNuFmhVFfnA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:content-type:date:date:feedback-id:feedback-id
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1761925066; x=
	1762011466; bh=8DjEnNKbZSgr+FJkOE7F8bKOo7d8cOM/NnzfxnEPW58=; b=U
	CLARa/ip8OvVSr3EJsC7+FwGgmMIU3JYOCqjjK5XXCXJBFKQJyHRv4+YhDZtr/75
	NHwZbG0l4kPg199mjnxFKr1MK5nMxI8TkNIs1kZlZvL/LJyuy8riWICHaS1YsYbL
	ekyjNOjW7YvzyeAbfdDUGTGeodBvP8ss+B33s0D9W9pIxja49B+GoTLI8jacr20g
	nIJ8D17okkVWV7+NBNNeY1UGeKstJg33ncOcH1IGQT92djclWuEkHRoiys4j2CTM
	AWM5ZBQnlaBdLAzR0247axLJHKknYj0i4cmpP8R0TnDwhXUeeUoohRu76B1hu4cL
	riMU+d6T+XHEJSd0Gx0vg==
X-ME-Sender: <xms:ytcEaUijMvvtxELOKmLodZFdLfumQmI9uGOfrweOXw7tPh8br-ytbQ>
    <xme:ytcEaV-Pnm0AVfb6cVnNxe29TVDBNzrYaz_r91dEH_fAVMe0RBAVLKnQ4Nj5e_GGC
    qY_2ENDK1VteZwkuzchp9P5cnY6zQitE6euagB2lX0mlG-1eobT>
X-ME-Received: <xmr:ytcEaXqtHwWW06MuKH5TY7PaUVFR_27Ys5j4_D1mh3Q19lBsWc67glcZOSMKfvq5DtESJUqDL8abcaJkNMFBjoNLpKrZyA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggdduieelkeejucetufdoteggodetrf
    dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu
    rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf
    gurhepkfffgggfuffvvehfhfgjtgfgsehtkeertddtvdejnecuhfhrohhmpeetughrihgr
    nhcumfhlrghvvghruceorggurhhirghnrdhklhgrvhgvrhesrghklhgrvhgvrhdrtghomh
    eqnecuggftrfgrthhtvghrnhepfeehtdevvdfgkefgtdeijeejgeduhfevuedvhfffteef
    ueefudeiveegkeevieffnecuffhomhgrihhnpegtrhhunhgthhihuggrthgrrdgtohhmne
    cuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheprggurhhi
    rghnrdhklhgrvhgvrhesrghklhgrvhgvrhdrtghomhdpnhgspghrtghpthhtohepiedpmh
    houggvpehsmhhtphhouhhtpdhrtghpthhtohephhhtrghmfhhiughssehgmhgrihhlrdgt
    ohhmpdhrtghpthhtohepsghruhgtvgesmhhomhhjihgrnhdruhhspdhrtghpthhtohepkh
    grihdrfigrghhnvghrsehpvghrtghonhgrrdgtohhmpdhrtghpthhtoheplhgruhhrvghn
    iidrrghlsggvsegthigsvghrthgvtgdrrghtpdhrtghpthhtoheprhhonhhljhhohhhnsh
    honhhjrhesghhmrghilhdrtghomhdprhgtphhtthhopehpghhsqhhlqdhgvghnvghrrghl
    sehpohhsthhgrhgvshhqlhdrohhrgh
X-ME-Proxy: <xmx:ytcEaVW6QVS2kRYcTRZycFZfPhFkybySJymYN-XBqJs2S4a6dbMXBA>
    <xmx:ytcEaeAOhLJlEanuPsalySojRplOQHtzZN4NIcUjTiWy4Eh9dV-GqA>
    <xmx:ytcEaR0FBYJ_p-fUYpkIgCDhKUR0eqPHGTX9OJs5GdkirGa0DwfoEQ>
    <xmx:ytcEaY0K7SGqTRw6lK4R9rRu-b0o_gzVB_qbRS1PjXPpmlHyHxBVcQ>
    <xmx:ytcEaW-F3S2z0pv1YobQ_XCwbkxh86GIJq04Hvo2Hm_8cmhZ5OPQqZMx>
Feedback-ID: i76984098:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri,
 31 Oct 2025 11:37:45 -0400 (EDT)
Message-ID: <ebbe5b81-5e14-4273-a626-f2f49dad0b6c@aklaver.com>
Date: Fri, 31 Oct 2025 08:37:44 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Enquiry about TDE with PgSQL
To: Greg Sabino Mullane <htamfids@gmail.com>, Bruce Momjian <bruce@momjian.us>
Cc: Kai Wagner <kai.wagner@percona.com>,
 Laurenz Albe <laurenz.albe@cybertec.at>,
 Ron Johnson <ronljohnsonjr@gmail.com>,
 pgsql-general <pgsql-general@postgresql.org>
References: <CACgMzfwSDRF+kQr59h0-xGUobCeFZxwVzE_tUxF18DkVb+vuDQ@mail.gmail.com>
 <CAKAnmmKDCOdUT5JtJZz5papMO0zW1cnG4934d6aQVCQ_KdbUeg@mail.gmail.com>
 <CANzqJaA41CzNjkiQex+A0u9z11i6R3WQZJ+fkXfJO7VJwOMWzg@mail.gmail.com>
 <a1dae4a583d560a90c67872b766ead02ddb13e51.camel@cybertec.at>
 <aQPDvqUzZVKkaxsS@momjian.us>
 <CAG0qCNhL=SEB4vc4v48PxN1F-t8htC463TpX7KDNWQ-s3s8dtA@mail.gmail.com>
 <aQTNmM-3VeTRZdx0@momjian.us>
 <CAKAnmmKYP0DZpBhFXFBAbpkEkGt8g+MKOsSR=M+nKbvLZ8v89w@mail.gmail.com>
Content-Language: en-US
From: Adrian Klaver <adrian.klaver@aklaver.com>
In-Reply-To: <CAKAnmmKYP0DZpBhFXFBAbpkEkGt8g+MKOsSR=M+nKbvLZ8v89w@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/ebbe5b81-5e14-4273-a626-f2f49dad0b6c%40aklaver.com>
Precedence: bulk

On 10/31/25 08:25, Greg Sabino Mullane wrote:
> On Fri, Oct 31, 2025 at 10:54 AM Bruce Momjian <bruce@momjian.us 
> <mailto:bruce@momjian.us>> wrote:
> 
>              Disk-level and partition-level encryption typically encrypts
>              the entire disk or partition using the same key, with all data
>              automatically decrypted when the system runs or when an
>     authorized
>     -->     user requests it. For this reason, disk-level encryption is not
>     -->     appropriate to protect stored PAN on computers, laptops,
>     servers,
>              storage arrays, or any other system that provides transparent
>              decryption upon user authentication.
> 
> 
> Hmm, I read this a few times but still not sure what the technical 
> objection is. Yes, the entire disk is encrypted with the same key, but 
> why is that insufficient to protect things? Anyone care to guess what 
> they are thinking here?

My best guess, is that the more the storage encryption is fragmented by 
different keys the less likely all the disk could be decrypted by a 
single action. The weak link is '... other system that provides 
transparent decryption upon user authentication.'. At some point the 
data needs to be decrypted for end user use. That means the point of 
attack is moved to the user and storage encryption does not really matter.

> 
>     The biggest possible downside of this standoff is that enterprises
>     that need to meet PCI compliance specifications are forced to use
>     specialized versions of Postgres or Postgres extensions that support
>     TDE.
> 
> 
> Not always a downside for the companies selling those specialized 
> versions though.
> 
> Cheers,
> Greg
> 
> --
> Crunchy Data - https://www.crunchydata.com <https://www.crunchydata.com>
> Enterprise Postgres Software Products & Tech Support
> 


-- 
Adrian Klaver
adrian.klaver@aklaver.com