Re: Transparent Data Encryption (TDE) and encrypted files

On Thu, Oct 3, 2019 at 4:40 PM Stephen Frost <sfrost(at)snowman(dot)net> wrote:

>
> * Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> > On Mon, Sep 30, 2019 at 5:26 PM Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> > > For full-cluster Transparent Data Encryption (TDE), the current plan is
> > > to encrypt all heap and index files, WAL, and all pgsql_tmp (work_mem
> > > overflow). The plan is:
> > >
> > >
> https://wiki.postgresql.org/wiki/Transparent_Data_Encryption#TODO_for_Full-Cluster_Encryption
> > >
> > > We don't see much value to encrypting vm, fsm, pg_xact, pg_multixact,
> or
> > > other files. Is that correct? Do any other PGDATA files contain user
> > > data?
> >
> > As others have said, that sounds wrong to me. I think you need to
> > encrypt everything.
>
> That isn't what other database systems do though and isn't what people
> actually asking for this feature are expecting to have or deal with.
>

Do any of said other database even *have* the equivalence of say pg_clog or
pg_multixact *stored outside their tablespaces*? (Because as long as the
data is in the tablespace, it's encrypted when using tablespace
encryption..)

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>