Re: Enquiry about TDE with PgSQL

I maintain that the way forward is to get TDE in core. Perhaps someone could pick up the previous patches and try to push them again Best Wishes, Chris Travers On Sat, Nov 1, 2025, 8:36 AM Christophe Pettus wrote: > On Oct 31, 2025, at 17:24, Clay Jackson (cjackson) > wrote: > > > > I can't

Re: Enquiry about TDE with PgSQL

On Oct 31, 2025, at 17:24, Clay Jackson (cjackson) wrote: > > I can't disagree - but the question them becomes, as Markus and other have > pointed out; would that allow a customer/user to check the "Encryption" box > for PCI or any other "compliance review" The answer is: it depends (doesn't

Re: Enquiry about TDE with PgSQL

> On Oct 31, 2025, at 17:21, Bruce Momjian wrote: > > I think column-level encryption, on the client side, actually does > improve security and is preferable to file system level TDE, and I think > many here feel the same way. Absolutely. Unfortunately, too many IT security policies are basi

Re: Enquiry about TDE with PgSQL

On Sat, Nov 1, 2025 at 12:24:25AM +, Clay Jackson (cjackson) wrote: > I can't disagree - but the question them becomes, as Markus and > other have pointed out; would that allow a customer/user to check the > "Encryption" box for PCI or any other "compliance review" I think so. It says storag

RE: Enquiry about TDE with PgSQL

I can't disagree - but the question them becomes, as Markus and other have pointed out; would that allow a customer/user to check the "Encryption" box for PCI or any other "compliance review" Clay Jackson Database Solutions Sales Engineer [email protected] office 949-754-1203 mobile 425-

Re: Enquiry about TDE with PgSQL

On Fri, Oct 31, 2025 at 05:16:09PM -0700, Christophe Pettus wrote: > On Oct 31, 2025, at 07:54, Bruce Momjian wrote: > > So it seems we have somewhat of a stand-off, with the Postgres > > project questioning the value of TDE and the PCI writers > > doubling-down on specifying disk-level encryption

Re: Enquiry about TDE with PgSQL

On Oct 31, 2025, at 07:54, Bruce Momjian wrote: > So it seems we have somewhat of a stand-off, with the Postgres project > questioning the value of TDE and the PCI writers doubling-down on > specifying disk-level encryption as insufficient. PCI definitely exhibits a preference away from disk-leve

RE: Enquiry about TDE with PgSQL

Speaking for myself, not Quest, as an "interested observer", I think Markus summarized it REALLY well. Unfortunately, like a lot of "overloaded" terms/standards, "TDE", whatever it means, has become a "checkbox" item. Clay Jackson Database Solutions Sales Engineer [email protected] o

Re: Enquiry about TDE with PgSQL

It's always entertaining to read PCI DSS... In the "guidance and purpose" column of page 95, the standard reads: Disk-level encryption typically encrypts the entire disk or partition using the same key, with all data automatically decrypted when the system runs or when an authori

Re: Enquiry about TDE with PgSQL

On Fri, Oct 31, 2025 at 05:19:57PM -0400, Ron Johnson wrote: > On Fri, Oct 31, 2025 at 4:53 PM Bruce Momjian wrote: > On Fri, Oct 31, 2025 at 09:04:32PM +0100, Kai Wagner wrote: > We created a group several years ago, got pretty far, but ended up > stopping for reasons I stated in my b

Re: Enquiry about TDE with PgSQL

On Fri, Oct 31, 2025 at 4:53 PM Bruce Momjian wrote: > On Fri, Oct 31, 2025 at 09:04:32PM +0100, Kai Wagner wrote: > > On Fri, Oct 31, 2025 at 7:22 PM Bruce Momjian wrote: > > > > On Fri, Oct 31, 2025 at 06:33:54PM +0100, Álvaro Herrera wrote: > > > On 2025-Oct-31, Bruce Momjian wrote: >

Re: Why isn't my table auto-analyzed/vacuumed?

On Fri, Oct 31, 2025 at 4:52 PM Adrian Klaver wrote: > On 10/31/25 13:03, Dimitrios Apostolou wrote: > > On Thursday 2025-10-30 18:00, Ron Johnson wrote: > > > >> > >> > SELECT reltuples FROM pg_class WHERE relname = > >> 'test_runs_summarized_per_function' \gx > >> -[ RECORD 1 ]--

Re: Enquiry about TDE with PgSQL

On Fri, Oct 31, 2025 at 09:04:32PM +0100, Kai Wagner wrote: > On Fri, Oct 31, 2025 at 7:22 PM Bruce Momjian wrote: > > On Fri, Oct 31, 2025 at 06:33:54PM +0100, Álvaro Herrera wrote: > > On 2025-Oct-31, Bruce Momjian wrote: > > > > > Yes, we have been avoiding the masquerade for y

Re: Why isn't my table auto-analyzed/vacuumed?

On 10/31/25 13:03, Dimitrios Apostolou wrote: On Thursday 2025-10-30 18:00, Ron Johnson wrote: > SELECT reltuples FROM pg_class WHERE relname = 'test_runs_summarized_per_function' \gx -[ RECORD 1 ]--- reltuples | 6.061923e+09 > SELECT name,setting FROM pg_sett

Re: Enquiry about TDE with PgSQL

On Fri, Oct 31, 2025 at 7:22 PM Bruce Momjian wrote: > On Fri, Oct 31, 2025 at 06:33:54PM +0100, Álvaro Herrera wrote: > > On 2025-Oct-31, Bruce Momjian wrote: > > > > > Yes, we have been avoiding the masquerade for years. The question is > > > can we continue. From the lack of discussion since

Re: Why isn't my table auto-analyzed/vacuumed?

On Thursday 2025-10-30 18:00, Ron Johnson wrote: > SELECT reltuples FROM pg_class WHERE relname = 'test_runs_summarized_per_function' \gx -[ RECORD 1 ]--- reltuples | 6.061923e+09 > SELECT name,setting FROM pg_settings WHERE name ILIKE '%factor%' ;        

Re: Enquiry about TDE with PgSQL

On Fri, Oct 31, 2025 at 06:33:54PM +0100, Álvaro Herrera wrote: > On 2025-Oct-31, Bruce Momjian wrote: > > > Yes, we have been avoiding the masquerade for years. The question is > > can we continue. From the lack of discussion since April 1, 2025, it > > seems the answer is yes. > > Maybe, but

Re: Enquiry about TDE with PgSQL

> On Oct 31, 2025, at 10:32, Clay Jackson (cjackson) > wrote: > > Pardo me for jumping in here - but would filesystem level encryption possibly > meet your requirements? If we're talking about PCI DSS, the answer is: Yes, but. Filesystem-level encryption is acceptable IF the encryption ke

Re: Enquiry about TDE with PgSQL

On 2025-Oct-31, Bruce Momjian wrote: > Yes, we have been avoiding the masquerade for years. The question is > can we continue. From the lack of discussion since April 1, 2025, it > seems the answer is yes. Maybe, but I think the only reason for this is that some companies are implementing it lo

RE: Enquiry about TDE with PgSQL

Pardo me for jumping in here - but would filesystem level encryption possibly meet your requirements? Clay Jackson Database Solutions Sales Engineer [email protected] office 949-754-1203 mobile 425-802-9603 -Original Message- From: Bruce Momjian Sent: Friday, October 31, 2025 10:

Re: Enquiry about TDE with PgSQL

On Fri, Oct 31, 2025 at 10:04:35AM -0700, Christophe Pettus wrote: > > > > On Oct 31, 2025, at 08:21, Adrian Klaver > > wrote: Yeah, what I would like to know is how many of the data > > breaches actually grab directly from the storage versus getting it > > through the database or other software

Re: Enquiry about TDE with PgSQL

> On Oct 31, 2025, at 08:21, Adrian Klaver wrote: > Yeah, what I would like to know is how many of the data breaches actually > grab directly from the storage versus getting it through the database or > other software above the storage? Essentially zero. PCI, like a lot of data security sta

Re: Enquiry about TDE with PgSQL

On 10/31/25 09:40, Laurenz Albe wrote: On Fri, 2025-10-31 at 08:21 -0700, Adrian Klaver wrote: Yeah, what I would like to know is how many of the data breaches actually grab directly from the storage versus getting it through the database or other software above the storage? It seems to me socia

Re: Enquiry about TDE with PgSQL

On Fri, Oct 31, 2025 at 05:40:31PM +0100, Laurenz Albe wrote: > On Fri, 2025-10-31 at 08:21 -0700, Adrian Klaver wrote: > > Yeah, what I would like to know is how many of the data breaches > > actually grab directly from the storage versus getting it through the > > database or other software abo

Re: Enquiry about TDE with PgSQL

On Fri, 2025-10-31 at 08:21 -0700, Adrian Klaver wrote: > Yeah, what I would like to know is how many of the data breaches > actually grab directly from the storage versus getting it through the > database or other software above the storage? It seems to me social > engineering plays a bigger ro

Re: Enquiry about TDE with PgSQL

On 10/31/25 08:25, Greg Sabino Mullane wrote: On Fri, Oct 31, 2025 at 10:54 AM Bruce Momjian > wrote:         Disk-level and partition-level encryption typically encrypts         the entire disk or partition using the same key, with all data         automa

Re: Enquiry about TDE with PgSQL

On Fri, Oct 31, 2025 at 11:25 AM Greg Sabino Mullane wrote: > On Fri, Oct 31, 2025 at 10:54 AM Bruce Momjian wrote: > >> Disk-level and partition-level encryption typically encrypts >> the entire disk or partition using the same key, with all data >> automatically decrypt

Re: Enquiry about TDE with PgSQL

On Fri, Oct 31, 2025 at 11:25:04AM -0400, Greg Sabino Mullane wrote: > On Fri, Oct 31, 2025 at 10:54 AM Bruce Momjian wrote: > >         Disk-level and partition-level encryption typically encrypts >         the entire disk or partition using the same key, with all data >         auto

Re: Enquiry about TDE with PgSQL

On Fri, Oct 31, 2025 at 10:54 AM Bruce Momjian wrote: > Disk-level and partition-level encryption typically encrypts > the entire disk or partition using the same key, with all data > automatically decrypted when the system runs or when an authorized > --> user request

Re: Enquiry about TDE with PgSQL

On 10/31/25 07:54, Bruce Momjian wrote: On Fri, Oct 31, 2025 at 03:01:48PM +0100, Kai Wagner wrote: With the PCI DSS v4.1 standard, one key rule to comply with is, that "If PAN is Uh, I think you mean the 4.0.1 standard, which became active on January 1, 2025. I am surprised this is only be

Re: Enquiry about TDE with PgSQL

On Fri, Oct 31, 2025 at 03:01:48PM +0100, Kai Wagner wrote: > As I personally believe, there is no real way around TDE in the future, either > by extensibility of the core (start with the storage manager and move your way > on from there), to make an extension possible, or by directly adding it to

Re: Enquiry about TDE with PgSQL

Hi Ashish, If you are looking for "native" TDE in PostgreSQL, you won't find it in the PostgreSQL community distribution. If you search for "postgresql tde", you will find a list of vendors that provide TDE functions in their own distributions of PostgreSQL, such as: - https://www.cybertec-

Re: Enquiry about TDE with PgSQL

As I personally believe, there is no real way around TDE in the future, either by extensibility of the core (start with the storage manager and move your way on from there), to make an extension possible, or by directly adding it to the core, there are more reasons coming or are already on their wa