| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | laurent(dot)feron(at)free(dot)fr |
| Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: TDE (Transparent Data Encryption) supported ? |
| Date: | 2020-09-14 12:39:42 |
| Message-ID: | 20200914123942.GC3063@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Greetings,
We'd prefer it if you didn't top-post (just write some stuff at the top)
when you respond and post to these mailing lists.
* laurent(dot)feron(at)free(dot)fr (laurent(dot)feron(at)free(dot)fr) wrote:
> I come back to your comments about vestor attacks. I know that TDE protects against disk thefts, not really more ..
That is a data-at-rest concern and TDE is one approach to addressing it.
> But compagnie has some internal rules and some of them require "At Rest" encryption, nothing more is mentionned.
> Then, even if TDE is not THE solution in term of security, it is something that companies want.
Disk-based encryption is available for basically all operating systems
and PostgreSQL works reasonably well on top of encrypted filesystems or
block devices. That's all available today, works quite well to deal
with the "someone stole the disk" or "someone forgot to wipe the drive
before throwing it away" attack vectors.
In particular, I'd encourage you to look at Linux with LUKS for data at
rest encryption. You can then simply run PostgreSQL on top of that and
be protected without any of the complications which TDE introduces.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ranier Vilela | 2020-09-14 12:41:36 | Fix overflow at return wchar2char (src/backend/utils/adt/pg_locale.c) |
| Previous Message | Amit Kapila | 2020-09-14 12:37:09 | Re: Fix for parallel BTree initialization bug |