From: Tomas Vondra [mailto:tomas.von...@2ndquadrant.com] > Let me share some of the issues mentioned as possibly addressed by TDE > (I'm not entirely sure TDE actually solves them, I'm just saying those > were mentioned in previous discussions):
FYI, our product provides TDE like Oracle and SQL Server, which enables encryption per tablespace. Relations, WAL records and temporary files related to encrypted tablespace are encrypted. http://www.fujitsu.com/global/products/software/middleware/opensource/postgres/ (I wonder why the web site doesn't offer the online manual... I've recognized we need to fix this situation. Anyway, I guess the downloadable trial version includes the manual.) > 1) enterprise requirement - Companies want in-database encryption, for > various reasons (because "enterprise solution" or something). To assist compliance with PCI DSS, HIPAA, etc. > 2) like FDE, but OS/filesystem independent - Same config on any OS and > filesystem, which may make maintenance easier. > > 3) does not require special OS/filesystem setup - Does not require help > from system adminitrators, setup of LUKS devices or whatever. > > 4) all filesystem access (basebackups/rsync) is encrypted anyway > > 5) solves key management (the main challenge with pgcrypto) > > 6) allows encrypting only some of the data (tables, columns) to minimize > performance impact All yes. > IMHO it makes sense to have TDE even if it provides the same "security" > as disk-level encryption, assuming it's more convenient to setup/use > from the database. Agreed. Regards Takayuki Tsunakawa
