Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data.

Alvaro Herrera <alvherre@2ndquadrant.com> writes:
> David G. Johnston wrote:
>> On Wed, Nov 18, 2015 at 12:45 PM, Day, David <dday@redcom.com> wrote:
>>> I believe the   concern,  based on my current understanding  of postgres
>>> inner workings,  is  that when a dead tuple is reclaimed by vacuuming:  Is
>>> that reclaimed space initialized in some fashion that would  shred any
>>> sensitive data that was formerly there to any  inspection by  the
>>> subsequent owner of  that disk page ? ( zeroization )

> No.  Ultimately, space occupied by dead tuples is "freed" in
> PageRepairFragmentation(), src/backend/storage/page/bufpage.c;
> the contents of the tuples are shuffled to "defragment" the free space,
> but the free space is not zeroed.  You could certainly try to read the
> unused page and extract some data from there.

It's quite unclear to me what threat model such a behavior would add
useful protection against.

            regards, tom lane