Re: Enquiry about TDE with PgSQL

On Thu, Oct 16, 2025 at 6:05 PM Greg Sabino Mullane <htamfids(at)gmail(dot)com>
wrote:

> I would like to enquire that based on the anecdotal experience of group
>> members, which TDE solution works best for PgSQL 17 databases.
>
>
> Generally speaking, there is no "best". People use whatever vendor they
> happen to already use. Your best solution is to avoid TDE altogether. If
> you really need encryption at rest, have the OS do it. That works well
> (transparently, even), is very battle-tested, and has minimal performance
> impact.
>

But filesystem encryption still means that validly logged-in users see the
unencrypted data. That's great for a laptop that might get stolen, or for
drives that are discarded without being wiped, but are no protection
against hackers who want to exfiltrate your data.

(Neither protect against ransomware, but that's a different problem.)

> TDE, on the other hand, is a very complex and difficult thing to add
> into Postgres.
>

TDE was added to SQL Server, with (to us, at least) minimally-noticed
overhead. Oracle has it, too, but I don't know the details.

The bottom line is that requirements for TDE are escalating, whether you
like it or not, as Yet Another Layer Of Defense against hackers
exfiltrating data, and then threatening to leak it to the public.

--
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!