Re: Enquiry about TDE with PgSQL
Bruce Momjian <bruce@momjian.us>
From: Bruce Momjian <bruce@momjian.us>
To: Christophe Pettus <xof@thebuild.com>
Cc: pgsql-general <pgsql-general@postgresql.org>, Kai Wagner <kai.wagner@percona.com>, Laurenz Albe <laurenz.albe@cybertec.at>, Ron Johnson <ronljohnsonjr@gmail.com>
Date: 2025-11-01T00:21:04Z
Lists: pgsql-general
On Fri, Oct 31, 2025 at 05:16:09PM -0700, Christophe Pettus wrote: > On Oct 31, 2025, at 07:54, Bruce Momjian <bruce@momjian.us> wrote: > > So it seems we have somewhat of a stand-off, with the Postgres > > project questioning the value of TDE and the PCI writers > > doubling-down on specifying disk-level encryption as insufficient. > > PCI definitely exhibits a preference away from disk-level encryption, > although it doesn't prohibit it: you have to make sure that simply > mounting the disk doesn't decrypt it. Their concern is that if > user credentials are compromised, and an attacker then has to do > something else in order to see the plaintext. This kind of implies > TDE, although they don't use that term. > > Now, the road forks here: > > 1. If a customer wants TDE and isn't interested in hearing about other > solutions, then TDE is only thing that will meet that goal. > > 2. The PCI spec doesn't specifically offer up TDE as an alternative to > disk-level encryption, though. It exhibits a strong preference for > column-level encryption of sensitive data, which doesn't require TDE. > > In some ways, there's no real point of discussion. You can comply > with PCI without TDE (I would argue that, in fact, you are in a better > position with column-level encryption), but if the organization wants > TDE, then the technical arguments rarely matter. I think column-level encryption, on the client side, actually does improve security and is preferable to file system level TDE, and I think many here feel the same way. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.