Thread: Transparent Data Encryption in PostgreSQL?
Hello. Got a bit of a weird question here : what is the state of transparent data encryption in PostgreSQL? I was under the impression it was on the 'to do' list for PostgreSQL 14 ... https://www.postgresql.org/about/press/faq/ Q: What features will 14 have? A: As always, we can't be certain what will go in and what won't; the project has strict quality standards that not all patches can make before deadline. All we can tell you is what's currently being worked on, which includes significant performance improvements due to optimizations in connection handling, continued work on the pluggable storage interface (including plugins such as zheap or zedstore), native TRANSPARENT DATA ENCRYPTION support, continued improvements to parallelism and partitioning, and many more features. By the time 14 is released, though, this list may have changed considerably. ... but a colleague at work is adamant that PostgreSQL has had TDE since 2019. Have I missed a memo somewhere? Many thanks! -- Martin Goodson Whatever you've got planned, forget it. I'm the Doctor. I'm 904 years old. I'm from the planet Gallifrey in the constellation of Kasterborous. I am The Oncoming Storm, the Bringer of Darkness and you are ... basically just a rabbit, aren't you? OK, carry on, just a general ... warning.
On Thu, Jan 28, 2021 at 01:28:04PM +0000, Martin Goodson wrote: > Hello. > > Got a bit of a weird question here : what is the state of transparent data > encryption in PostgreSQL? I was under the impression it was on the 'to do' > list for PostgreSQL 14 ... > > https://www.postgresql.org/about/press/faq/ > > Q: What features will 14 have? > A: As always, we can't be certain what will go in and what won't; the > project has strict quality standards that not all patches can make before > deadline. All we can tell you is what's currently being worked on, which > includes significant performance improvements due to optimizations in > connection handling, continued work on the pluggable storage interface > (including plugins such as zheap or zedstore), native TRANSPARENT DATA > ENCRYPTION support, continued improvements to parallelism and partitioning, > and many more features. By the time 14 is released, though, this list may > have changed considerably. > > > ... but a colleague at work is adamant that PostgreSQL has had TDE since > 2019. > > Have I missed a memo somewhere? It has been worked on since before 2019. I worked on the key management part recently, but there was no consensus in the community, so I have stopped working on this feature, and I don't know anyone else who is currently working on it: https://www.postgresql.org/message-id/20210126225301.GD32305%40momjian.us -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee
Martin Goodson <kaemaril@googlemail.com> writes:
> ... but a colleague at work is adamant that PostgreSQL has had TDE since
> 2019.
There is at least one fork with TDE, which maybe is what your colleague is
thinking of, but it doesn't exist in the community code today. Various
people are interested in merging the feature. At this point I'd lay
odds against it being ready for v14, but perhaps it will happen for v15.
regards, tom lane
On Thu, Jan 28, 2021 at 09:50:55AM -0500, Bruce Momjian wrote: > On Thu, Jan 28, 2021 at 01:28:04PM +0000, Martin Goodson wrote: > > ... but a colleague at work is adamant that PostgreSQL has had TDE since > > 2019. > > > > Have I missed a memo somewhere? > > It has been worked on since before 2019. I worked on the key management > part recently, but there was no consensus in the community, so I have > stopped working on this feature, and I don't know anyone else who is > currently working on it: > > https://www.postgresql.org/message-id/20210126225301.GD32305%40momjian.us Oh, Cybertec has an open source version of Postgres 12.3 with TDE: https://www.cybertec-postgresql.com/en/products/postgresql-transparent-data-encryption/ https://www.cybertec-postgresql.com/en/transparent-data-encryption-installation-guide/ and Postgres 12.3 was released on 2020-05-14, and their TDE version was packaged on 2020-07-10, based on the tarball file dates. Their TDE feature is not part of community Postgres, and I don't if that will ever happen. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee
On Thu, Jan 28, 2021 at 10:17:31AM -0500, Tom Lane wrote: > Martin Goodson <kaemaril@googlemail.com> writes: > > ... but a colleague at work is adamant that PostgreSQL has had TDE since > > 2019. > > There is at least one fork with TDE, which maybe is what your colleague is > thinking of, but it doesn't exist in the community code today. Various > people are interested in merging the feature. At this point I'd lay > odds against it being ready for v14, but perhaps it will happen for v15. Yeah, we could get the key management into PG 14, but it wouldn't do anything, so it would have to be hidden so it didn't confuse people, so what's the point of adding it now? Also, I don't know anyone who is currently working on the data encryption stage, which is the next step. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee
On 28/01/2021 14:50, Bruce Momjian wrote: > On Thu, Jan 28, 2021 at 01:28:04PM +0000, Martin Goodson wrote: >> Hello. >> >> Got a bit of a weird question here : what is the state of transparent data >> encryption in PostgreSQL? I was under the impression it was on the 'to do' >> list for PostgreSQL 14 ... >> >> https://www.postgresql.org/about/press/faq/ >> >> Q: What features will 14 have? >> A: As always, we can't be certain what will go in and what won't; the >> project has strict quality standards that not all patches can make before >> deadline. All we can tell you is what's currently being worked on, which >> includes significant performance improvements due to optimizations in >> connection handling, continued work on the pluggable storage interface >> (including plugins such as zheap or zedstore), native TRANSPARENT DATA >> ENCRYPTION support, continued improvements to parallelism and partitioning, >> and many more features. By the time 14 is released, though, this list may >> have changed considerably. >> >> >> ... but a colleague at work is adamant that PostgreSQL has had TDE since >> 2019. >> >> Have I missed a memo somewhere? > > It has been worked on since before 2019. I worked on the key management > part recently, but there was no consensus in the community, so I have > stopped working on this feature, and I don't know anyone else who is > currently working on it: > > https://www.postgresql.org/message-id/20210126225301.GD32305%40momjian.us > Thank you very much for the response, it answered my question perfectly. Regards, Martin. -- Martin Goodson Whatever you've got planned, forget it. I'm the Doctor. I'm 904 years old. I'm from the planet Gallifrey in the constellation of Kasterborous. I am The Oncoming Storm, the Bringer of Darkness and you are ... basically just a rabbit, aren't you? OK, carry on, just a general ... warning.