RE: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS)
Tsunakawa, Takayuki <tsunakawa.takay@jp.fujitsu.com>
From: "Tsunakawa, Takayuki" <tsunakawa.takay@jp.fujitsu.com>
To: "Moon, Insung" <Moon_Insung_i3@lab.ntt.co.jp>
Cc: 'Tomas Vondra' <tomas.vondra@2ndquadrant.com>, Masahiko Sawada <sawada.mshk@gmail.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>, Joe Conway <mail@joeconway.com>
Date: 2018-06-14T00:42:40Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Revamp the WAL record format.
- 2c03216d8311 9.5.0 cited
From: Tomas Vondra [mailto:tomas.vondra@2ndquadrant.com] > Let me share some of the issues mentioned as possibly addressed by TDE > (I'm not entirely sure TDE actually solves them, I'm just saying those > were mentioned in previous discussions): FYI, our product provides TDE like Oracle and SQL Server, which enables encryption per tablespace. Relations, WAL records and temporary files related to encrypted tablespace are encrypted. http://www.fujitsu.com/global/products/software/middleware/opensource/postgres/ (I wonder why the web site doesn't offer the online manual... I've recognized we need to fix this situation. Anyway, I guess the downloadable trial version includes the manual.) > 1) enterprise requirement - Companies want in-database encryption, for > various reasons (because "enterprise solution" or something). To assist compliance with PCI DSS, HIPAA, etc. > 2) like FDE, but OS/filesystem independent - Same config on any OS and > filesystem, which may make maintenance easier. > > 3) does not require special OS/filesystem setup - Does not require help > from system adminitrators, setup of LUKS devices or whatever. > > 4) all filesystem access (basebackups/rsync) is encrypted anyway > > 5) solves key management (the main challenge with pgcrypto) > > 6) allows encrypting only some of the data (tables, columns) to minimize > performance impact All yes. > IMHO it makes sense to have TDE even if it provides the same "security" > as disk-level encryption, assuming it's more convenient to setup/use > from the database. Agreed. Regards Takayuki Tsunakawa