On Wed, Dec 9, 2020 at 05:18:37PM -0500, Stephen Frost wrote:
> Greetings,
>
> * Daniel Gustafsson (daniel@yesql.se) wrote:
> > > On 2 Dec 2020, at 22:38, Bruce Momjian <bruce@momjian.us> wrote:
> > > Attached is a patch for key management, which will eventually be part of
> > > cluster file encryption (CFE), called TDE (Transparent Data Encryption)
> > > by Oracle.
> >
> > The attackvector protected against seems to be operating systems users
> > (*without* any legitimate database access) gaining access to the data files.
>
> That isn't the only attack vector that this addresses (though it is one
> that this is envisioned to help with- to wit, someone rsync'ing the DB
> directory). TDE also helps with traditional data at rest requirements,
> in environments where you don't trust the storage layer to handle that
> (for whatever reason), and it's at least imagined that backups with
> pg_basebackup would also be encrypted, helping protect against backup
> theft.
>
> There's, further, certainly no shortage of folks asking for this.
Can we flesh this out more in the docs? Any idea on wording compared to
what I have?
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EnterpriseDB https://enterprisedb.com
The usefulness of a cup is in its emptiness, Bruce Lee