On Fri, Oct 4, 2019 at 10:46:57PM +0200, Tomas Vondra wrote: > Oracle also has a handy "TDE best practices" document [2], which says > when to use column-level encryption - let me quote a couple of points: > > * Location of sensitive information is known > > * Less than 5% of all application columns are encryption candidates > > * Encryption candidates are not foreign-key columns > > * Indexes over encryption candidates are normal B-tree indexes (this > also means no support for indexes on expressions, and likely partial > indexes) > > * No support from hardware crypto acceleration.
Aren't all modern systems going to have hardware crypto acceleration, i.e., AES-NI CPU extensions. Does that mean there is no value of partial encryption on such systems? Looking at the overhead numbers I have seen for AES-NI-enabled systems, I believe it. -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +
