| From: | rainer(at)ultra-secure(dot)de |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | Ken Marshall <ktm(at)rice(dot)edu>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Enquiry about TDE with PgSQL |
| Date: | 2025-11-03 15:39:45 |
| Message-ID: | 3a9ca8cf6bfa3916619ee8e2c8ff3e30@ultra-secure.de |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Am 2025-11-03 16:08, schrieb Bruce Momjian:
> Is it the Oracle API they don't like, that Postgres can improve upon,
> or
> something fundamental they don't like, or don't see the value in?
I am not sure.
It just complicates everything.
Documentation isn't thin, it's skeletal.
And of course, actual support from the HSM-vendor for this use-case is
non-existent.
Same for Oracle.
They'll both point at each other.
Who'd have thought that.
> As far as I know, there are two ways to generate the data encryption
> key. One is for the HSM to generate it, and then only the HSM knows
> it.
> The other method is to create the encryption key on a USB memory stick,
> copy the key into the HSM, and then remove the USB memory stick and
> store it in a secure location like a safe. The second method seems
> like
> a better option to me. Oh, and make a second copy of the USB memory
> stick.
The keys are generated on the HSM.
There's HSM client you've got to install that manages the communication
to the HSM.
The HSM should be backed up, too. Which is only possible by connecting
physically to it with a notebook and inserting an USB stick.
Which begs the question: where do you source an USB stick with the same
trust-level as the 20k-a-pop HSM?
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2025-11-03 16:00:24 | Re: Increasing a NUMERIC column precision doesn't cause a table rewrite. Why? |
| Previous Message | Bruce Momjian | 2025-11-03 15:08:15 | Re: Enquiry about TDE with PgSQL |