Re: Value of Transparent Data Encryption (TDE)

2019-10-03 Thread David Fetter
On Thu, Oct 03, 2019 at 10:26:15AM -0400, Robert Haas wrote: > On Tue, Oct 1, 2019 at 12:19 PM Bruce Momjian wrote: > > Just to give more detail. Initially, there was a desire to store > > keys in only one place, either in the file system or in database > > tables. However, it became clear that

Re: Value of Transparent Data Encryption (TDE)

2019-10-03 Thread Tomas Vondra
On Thu, Oct 03, 2019 at 10:43:21AM -0400, Stephen Frost wrote: Greetings, * Robert Haas (robertmh...@gmail.com) wrote: On Tue, Oct 1, 2019 at 12:19 PM Bruce Momjian wrote: > Just to give more detail. Initially, there was a desire to store keys > in only one place, either in the file system or

Re: Value of Transparent Data Encryption (TDE)

2019-10-03 Thread Stephen Frost
Greetings, * Robert Haas (robertmh...@gmail.com) wrote: > On Tue, Oct 1, 2019 at 12:19 PM Bruce Momjian wrote: > > Just to give more detail. Initially, there was a desire to store keys > > in only one place, either in the file system or in database tables. > > However, it became clear that the n

Re: Value of Transparent Data Encryption (TDE)

2019-10-03 Thread Robert Haas
On Tue, Oct 1, 2019 at 12:19 PM Bruce Momjian wrote: > Just to give more detail. Initially, there was a desire to store keys > in only one place, either in the file system or in database tables. > However, it became clear that the needs of booting the server and crash > recovery required file sys

Re: Value of Transparent Data Encryption (TDE)

2019-10-01 Thread Bruce Momjian
On Tue, Oct 1, 2019 at 11:54:26AM -0400, Bruce Momjian wrote: > On Tue, Oct 1, 2019 at 03:43:05PM +0200, Tomas Vondra wrote: > > Plus it allows features you can't easily achieve with fs encryption, > > because the filesystem only sees opaque data files. So having keys per > > database/user/... is

Re: Value of Transparent Data Encryption (TDE)

2019-10-01 Thread Bruce Momjian
On Tue, Oct 1, 2019 at 03:43:05PM +0200, Tomas Vondra wrote: > On Mon, Sep 30, 2019 at 05:40:52PM -0400, Bruce Momjian wrote: > Maybe. I think this is approaching the problem from the wrong angle. > Encryption is more a means of achieving something. OK, for compliance > purposes it's useful to be

Re: Value of Transparent Data Encryption (TDE)

2019-10-01 Thread Tomas Vondra
On Mon, Sep 30, 2019 at 05:40:52PM -0400, Bruce Momjian wrote: For plan for full-cluster Transparent Data Encryption (TDE) is here: https://wiki.postgresql.org/wiki/Transparent_Data_Encryption#TODO_for_Full-Cluster_Encryption The values it has, I think, are: * encrypts data for anyon

Value of Transparent Data Encryption (TDE)

2019-09-30 Thread Bruce Momjian
For plan for full-cluster Transparent Data Encryption (TDE) is here: https://wiki.postgresql.org/wiki/Transparent_Data_Encryption#TODO_for_Full-Cluster_Encryption The values it has, I think, are: * encrypts data for anyone with read-access to the file system (but not memory)