| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Transparent Data Encryption (TDE) and encrypted files |
| Date: | 2019-10-04 20:58:14 |
| Message-ID: | 20191004205814.GC29227@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Oct 4, 2019 at 10:46:57PM +0200, Tomas Vondra wrote:
> Oracle also has a handy "TDE best practices" document [2], which says
> when to use column-level encryption - let me quote a couple of points:
>
> * Location of sensitive information is known
>
> * Less than 5% of all application columns are encryption candidates
>
> * Encryption candidates are not foreign-key columns
>
> * Indexes over encryption candidates are normal B-tree indexes (this
> also means no support for indexes on expressions, and likely partial
> indexes)
>
> * No support from hardware crypto acceleration.
Aren't all modern systems going to have hardware crypto acceleration,
i.e., AES-NI CPU extensions. Does that mean there is no value of
partial encryption on such systems? Looking at the overhead numbers I
have seen for AES-NI-enabled systems, I believe it.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2019-10-04 21:08:29 | Re: Proposal: Make use of C99 designated initialisers for nulls/values arrays |
| Previous Message | Tomas Vondra | 2019-10-04 20:46:57 | Re: Transparent Data Encryption (TDE) and encrypted files |