| From: | Rainer Duffner <rainer(at)ultra-secure(dot)de> |
|---|---|
| To: | Ken Marshall <ktm(at)rice(dot)edu> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Enquiry about TDE with PgSQL |
| Date: | 2025-11-01 20:07:01 |
| Message-ID: | 86C8ECFE-942C-4364-A5BF-3404D50CD661@ultra-secure.de |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
> Am 01.11.2025 um 19:54 schrieb Ken Marshall <ktm(at)rice(dot)edu>:
>
> +1 from me for having TDE in-core or available as an extension
>
> The security auditors that I have worked with have been increasingly
> unwilling to actual evaluate the merits of an implementation or perhaps
> no longer have the knowledge or skills needed. This is a needed
> checkbox to allow PostgreSQL to be deployed in those environments.
>
>
Do you actually have HSMs with your TDE (assuming you use it elsewhere?
We run, for a customer, an Oracle DataGuard configuration with TDE with a HSM.
We have a support-contract with a 3rd party company that helps us with the more obscure problems on Oracle that we don’t encounter every day and they told us of all their clients (banks, insurance companies), we are the only ones with TDE. They loath working with it ;-)
There’s apparently another non-disclosed customer that uses it.
It may be that a lot of people now use „cloud HSMs“ - but I’m a bit of a purist for these kinds of things in that I believe that unless you own the hardware (HSMs are usually tamper-proof enough so you can deploy them in 3rd-party datacenters that aren’t your own), you don’t really control the keys.
In our case, the databases are backed up with rman to an NFS share that is provided by a virtualized linux server - the severs itself are hardware.
If you don’t have TDE, your backups aren’t encrypted and they end up on the veeam server like everything else, where an admin could copy them somewhere else and potentially take them elsewhere.
With the HSM, we don’t actually know the secret to decrypt the data (there may be a way to get it, I don’t know). We know the secret to unseal the wallet (that sits on the HSM, I believe) so that the database actually mounts and starts.
It’s pretty bullet-proof (I believe there’s techniques to prevent sniffing out the secret from RAM and HSMs usually implement those in their client software).
In fact, it’s so bullet-proof that should you lose the keys on the HSM, your data is gone if you have no other backups or backups of the HSM.
If the amount of data is small enough, you can GPG encrypt a „normal“ full dump - but that become unfeasible as database size grows.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2025-11-01 21:15:43 | Re: Enquiry about TDE with PgSQL |
| Previous Message | Ken Marshall | 2025-11-01 18:54:56 | Re: Enquiry about TDE with PgSQL |