| From: | Christophe Pettus <xof(at)thebuild(dot)com> |
|---|---|
| To: | "Clay Jackson (cjackson)" <Clay(dot)Jackson(at)quest(dot)com> |
| Cc: | Bruce Momjian <bruce(at)momjian(dot)us>, Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com>, Kai Wagner <kai(dot)wagner(at)percona(dot)com>, Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>, Ron Johnson <ronljohnsonjr(at)gmail(dot)com>, pgsql-general <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Enquiry about TDE with PgSQL |
| Date: | 2025-10-31 17:40:56 |
| Message-ID: | 9358BA09-E2C6-4116-9E9E-3DA5D31A11DA@thebuild.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
> On Oct 31, 2025, at 10:32, Clay Jackson (cjackson) <Clay(dot)Jackson(at)quest(dot)com> wrote:
>
> Pardo me for jumping in here - but would filesystem level encryption possibly meet your requirements?
If we're talking about PCI DSS, the answer is: Yes, but. Filesystem-level encryption is acceptable IF the encryption keys (or other passwords used to unlock them) are separate from the user access controls to the host that has the encrypted volume attached. You have to go through a second step of decrypting the volume (or making it available for decrypted reads) separate from just mounting it.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2025-10-31 18:22:22 | Re: Enquiry about TDE with PgSQL |
| Previous Message | Álvaro Herrera | 2025-10-31 17:33:54 | Re: Enquiry about TDE with PgSQL |