Greetings,
* Ron (ronljohnsonjr@gmail.com) wrote:
> On 8/24/23 14:08, Stephen Frost wrote:
> > * Ron (ronljohnsonjr@gmail.com) wrote:
> > > On 8/21/23 18:49, Bruce Momjian wrote:
> > > > On Mon, Aug 21, 2023 at 07:02:46PM +0300, Mostafa Fathy wrote:
> > > > > It is mentioned here https://www.postgresql.org/about/press/faq/#:~:text=
> > > > > Q%3A%20What%20features%20will%20PostgreSQL%2016%20have%3F that native
> > > > > transparent data encryption is being worked on and it may be delivered with
> > > > > PostgreSQL 16.
> > > > >
> > > > > Is PostgreSQL 16 beta version includes native transparent data encryption or
> > > > > not ? because I checked the docs https://www.postgresql.org/docs/16/index.html
> > > > > and couldn't find anything related to transparent data encryption.
> > > > >
> > > > > If not supported yet in the beta version I would like to know if PostgreSQL 16
> > > > > final version will support native transparent data encryption or not?
> > > > Not, PG 16 will not support it, and I am unclear if later major versions
> > > > will either.
> > > That's disappointing, since TDE makes PCI audits that much simpler.
> > There's ongoing work happening for TDE support and we'd love to hear
> > from folks who would like to see it included.
>
> PgBackRest currently encrypts it's binary backups.
pgbackrest is optionally able to encrypt backups, sure, and that's
certainly a good thing, though having a way for the process performing
the backup to not be able to actually see the unencrypted data in the
first place eliminates that as an attack vector.
> 1. What kind of encryption would there be? AES256 makes the auditors happy.
Supported options for AES would be 128, 192 and 256.
> 2. Would TDE-enabled pg_dump create encrypted dump files?
No, pg_dump is a client utility and hasn't got anything to do with TDE
really.
> 3. Would TDE obviate the need for PgBackRest's encryption?
The short answer to this is 'probably yes, when TDE is enabled on the
cluster'. Clearly, pgbackrest would continue to support encryption and
there will be some things in PG that aren't encrypted that it might be
nice to have encrypted, depending on your particular security folks, but
you wouldn't need pgbackrest's encryption to ensure that the principle
user data is encrypted.
> 4. How would encrypted "pg_dump --format=plain" work? Or could it only work
> with the other formats (which is fine by me)?
pg_dump isn't impacted by TDE.
> > You can expect an updated patch set for the September commitfest.
>
> For that which will be Pg 17?
Probably still optimistic to be thinking about this for PG17, but
hopefully some of the preliminary work will be able to get into PG17
even if full TDE does not.
> > Getting more folks to test it
> > and use it and review it would certainly help move it forward.
>
> By any chance, will binaries be created after the September commitfest?
> (Hoops must be jumped through to get development packages installed on the
> database servers I have access to, but I'd jump through them if needed.)
This would be something to ask the package maintainers... but I tend to
doubt they'd want the additional work; there's already lots and lots of
packages they're dealing with and to add on packages for every patch
that's posted to the PG mailing lists would be a huge task..
Thanks,
Stephen