On Wed, Dec 9, 2020 at 05:18:37PM -0500, Stephen Frost wrote: > Greetings, > > * Daniel Gustafsson (dan...@yesql.se) wrote: > > > On 2 Dec 2020, at 22:38, Bruce Momjian <br...@momjian.us> wrote: > > > Attached is a patch for key management, which will eventually be part of > > > cluster file encryption (CFE), called TDE (Transparent Data Encryption) > > > by Oracle. > > > > The attackvector protected against seems to be operating systems users > > (*without* any legitimate database access) gaining access to the data files. > > That isn't the only attack vector that this addresses (though it is one > that this is envisioned to help with- to wit, someone rsync'ing the DB > directory). TDE also helps with traditional data at rest requirements, > in environments where you don't trust the storage layer to handle that > (for whatever reason), and it's at least imagined that backups with > pg_basebackup would also be encrypted, helping protect against backup > theft. > > There's, further, certainly no shortage of folks asking for this.
Can we flesh this out more in the docs? Any idea on wording compared to what I have? -- Bruce Momjian <br...@momjian.us> https://momjian.us EnterpriseDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee
