RE: Enquiry about TDE with PgSQL - Mailing list pgsql-general
| From | Clay Jackson (cjackson) |
|---|---|
| Subject | RE: Enquiry about TDE with PgSQL |
| Date | |
| Msg-id | CO1PR19MB4984B665A5F9F38A5E0FB5969BF9A@CO1PR19MB4984.namprd19.prod.outlook.com Whole thread Raw |
| In response to | Re: Enquiry about TDE with PgSQL (Bruce Momjian <bruce@momjian.us>) |
| Responses |
Re: Enquiry about TDE with PgSQL
Re: Enquiry about TDE with PgSQL |
| List | pgsql-general |
I can't disagree - but the question them becomes, as Markus and other have pointed out; would that allow a customer/userto check the "Encryption" box for PCI or any other "compliance review" Clay Jackson Database Solutions Sales Engineer clay.jackson@quest.com office 949-754-1203 mobile 425-802-9603 -----Original Message----- From: Bruce Momjian <bruce@momjian.us> Sent: Friday, October 31, 2025 5:21 PM To: Christophe Pettus <xof@thebuild.com> Cc: pgsql-general <pgsql-general@postgresql.org>; Kai Wagner <kai.wagner@percona.com>; Laurenz Albe <laurenz.albe@cybertec.at>;Ron Johnson <ronljohnsonjr@gmail.com> Subject: Re: Enquiry about TDE with PgSQL CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachmentsunless you recognize the sender and know the content is safe. On Fri, Oct 31, 2025 at 05:16:09PM -0700, Christophe Pettus wrote: > On Oct 31, 2025, at 07:54, Bruce Momjian <bruce@momjian.us> wrote: > > So it seems we have somewhat of a stand-off, with the Postgres > > project questioning the value of TDE and the PCI writers > > doubling-down on specifying disk-level encryption as insufficient. > > PCI definitely exhibits a preference away from disk-level encryption, > although it doesn't prohibit it: you have to make sure that simply > mounting the disk doesn't decrypt it. Their concern is that if user > credentials are compromised, and an attacker then has to do something > else in order to see the plaintext. This kind of implies TDE, > although they don't use that term. > > Now, the road forks here: > > 1. If a customer wants TDE and isn't interested in hearing about other > solutions, then TDE is only thing that will meet that goal. > > 2. The PCI spec doesn't specifically offer up TDE as an alternative to > disk-level encryption, though. It exhibits a strong preference for > column-level encryption of sensitive data, which doesn't require TDE. > > In some ways, there's no real point of discussion. You can comply > with PCI without TDE (I would argue that, in fact, you are in a better > position with column-level encryption), but if the organization wants > TDE, then the technical arguments rarely matter. I think column-level encryption, on the client side, actually does improve security and is preferable to file system levelTDE, and I think many here feel the same way. -- Bruce Momjian <bruce@momjian.us> https://momjian.us/ EDB https://enterprisedb.com/ Do not let urgent matters crowd out time for investment in the future.
pgsql-general by date: