On Thu, Oct 16, 2025 at 6:05 PM Greg Sabino Mullane <htamfids@gmail.com> wrote:
I would like to enquire that based on the anecdotal experience of group members, which TDE solution works best for PgSQL 17 databases.
Generally speaking, there is no "best". People use whatever vendor they happen to already use. Your best solution is to avoid TDE altogether. If you really need encryption at rest, have the OS do it. That works well (transparently, even), is very battle-tested, and has minimal performance impact.
But filesystem encryption still means that validly logged-in users see the unencrypted data. That's great for a laptop that might get stolen, or for drives that are discarded without being wiped, but are no protection against hackers who want to exfiltrate your data.
(Neither protect against ransomware, but that's a different problem.)
TDE, on the other hand, is a very complex and difficult thing to add into Postgres.
TDE was added to SQL Server, with (to us, at least) minimally-noticed overhead. Oracle has it, too, but I don't know the details.
The bottom line is that requirements for TDE are escalating, whether you like it or not, as Yet Another Layer Of Defense against hackers exfiltrating data, and then threatening to leak it to the public.
