On Tue, Jul 03, 2018 at 07:28:42PM +0900, Masahiko Sawada wrote: > On Tue, Jul 3, 2018 at 7:16 AM, Nico Williams <n...@cryptonector.com> wrote: > > Yes, but piecemeal encryption seems like a bad idea to me. > > What do you mean by "piecemeal encryption"? Is it not-whole database > encryption such as per-table or per-tablespace? If so could you please > elaborate on the reason why you think so?
I mean that encrypting some columns only, or some tables only, has integrity protection issues. See earlier posts in this thread. Encrypting the whole DB has no such problems, assuming you're doing the crypto correctly anyways. But for full DB encryption it's easier to leave the crypto to the filesystem or device drivers. (If the devices are physically in the host and cannot be removed easily, then FDE at the device works well too.) Nico --
