Re: Enquiry about TDE with PgSQL
Ron Johnson <ronljohnsonjr@gmail.com>
From: Ron Johnson <ronljohnsonjr@gmail.com>
To: pgsql-general <pgsql-general@postgresql.org>
Date: 2025-10-31T15:34:45Z
Lists: pgsql-general
On Fri, Oct 31, 2025 at 11:25 AM Greg Sabino Mullane <htamfids@gmail.com> wrote: > On Fri, Oct 31, 2025 at 10:54 AM Bruce Momjian <bruce@momjian.us> wrote: > >> Disk-level and partition-level encryption typically encrypts >> the entire disk or partition using the same key, with all data >> automatically decrypted when the system runs or when an authorized >> --> user requests it. For this reason, disk-level encryption is not >> --> appropriate to protect stored PAN on computers, laptops, servers, >> storage arrays, or any other system that provides transparent >> decryption upon user authentication. >> > > Hmm, I read this a few times but still not sure what the technical > objection is. Yes, the entire disk is encrypted with the same key, but why > is that insufficient to protect things? Anyone care to guess what they are > thinking here? > Networking. Who breaks into a DC and steals a rack of disks or SSDs? Very, very few evil-doers. Who hacks into networks and exfiltrates data over the wire? Many hackers. -- Death to <Redacted>, and butter sauce. Don't boil me, I'm still alive. <Redacted> lobster!