On Fri, Oct 4, 2019 at 10:46:57PM +0200, Tomas Vondra wrote:
> Oracle also has a handy "TDE best practices" document [2], which says
> when to use column-level encryption - let me quote a couple of points:
>
> * Location of sensitive information is known
>
> * Less than 5% of all application columns are encryption candidates
>
> * Encryption candidates are not foreign-key columns
>
> * Indexes over encryption candidates are normal B-tree indexes (this
> also means no support for indexes on expressions, and likely partial
> indexes)
>
> * No support from hardware crypto acceleration.
Aren't all modern systems going to have hardware crypto acceleration,
i.e., AES-NI CPU extensions. Does that mean there is no value of
partial encryption on such systems? Looking at the overhead numbers I
have seen for AES-NI-enabled systems, I believe it.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +