Re: Enquiry about TDE with PgSQL

Christophe Pettus <xof@thebuild.com>

From: Christophe Pettus <xof@thebuild.com>
To: "Clay Jackson (cjackson)" <Clay.Jackson@quest.com>
Cc: Bruce Momjian <bruce@momjian.us>, Adrian Klaver <adrian.klaver@aklaver.com>, Kai Wagner <kai.wagner@percona.com>, Laurenz Albe <laurenz.albe@cybertec.at>, Ron Johnson <ronljohnsonjr@gmail.com>, pgsql-general <pgsql-general@postgresql.org>
Date: 2025-10-31T17:40:56Z
Lists: pgsql-general

> On Oct 31, 2025, at 10:32, Clay Jackson (cjackson) <Clay.Jackson@quest.com> wrote:
> 
> Pardo me for jumping in here - but would filesystem level encryption possibly meet your requirements?

If we're talking about PCI DSS, the answer is: Yes, but.  Filesystem-level encryption is acceptable IF the encryption keys (or other passwords used to unlock them) are separate from the user access controls to the host that has the encrypted volume attached.  You have to go through a second step of decrypting the volume (or making it available for decrypted reads) separate from just mounting it.