| From: | David Fetter <david(at)fetter(dot)org> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Bruce Momjian <bruce(at)momjian(dot)us>, Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Value of Transparent Data Encryption (TDE) |
| Date: | 2019-10-03 20:55:18 |
| Message-ID: | 20191003205517.GM26480@fetter.org |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, Oct 03, 2019 at 10:26:15AM -0400, Robert Haas wrote:
> On Tue, Oct 1, 2019 at 12:19 PM Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> > Just to give more detail. Initially, there was a desire to store
> > keys in only one place, either in the file system or in database
> > tables. However, it became clear that the needs of booting the
> > server and crash recovery required file system keys, and
> > per-user/db keys were best done at the SQL level, so that indexing
> > can be used, and logical dumps contain the locked keys. SQL-level
> > storage allows databases to be completely independent of other
> > databases in terms of key storage and usage.
>
> Wait, we're going to store the encryption keys with the database?
Encryption keys are fine there so long as decryption keys are
separate.
Best,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778
Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alexander Korotkov | 2019-10-03 21:05:43 | Re: Connections hang indefinitely while taking a gin index's LWLock buffer_content lock(PG10.7) |
| Previous Message | Tom Lane | 2019-10-03 20:13:05 | Re: fairywren failures |