Re: Enquiry about TDE with PgSQL

Am 2025-11-03 16:08, schrieb Bruce Momjian:

> Is it the Oracle API they don't like, that Postgres can improve upon, 
> or
> something fundamental they don't like, or don't see the value in?


I am not sure.

It just complicates everything.
Documentation isn't thin, it's skeletal.

And of course, actual support from the HSM-vendor for this use-case is 
non-existent.
Same for Oracle.

They'll both point at each other.

Who'd have thought that.

> As far as I know, there are two ways to generate the data encryption
> key.  One is for the HSM to generate it, and then only the HSM knows 
> it.
> The other method is to create the encryption key on a USB memory stick,
> copy the key into the HSM, and then remove the USB memory stick and
> store it in a secure location like a safe.  The second method seems 
> like
> a better option to me.  Oh, and make a second copy of the USB memory
> stick.


The keys are generated on the HSM.
There's HSM client you've got to install that manages the communication 
to the HSM.

The HSM should be backed up, too. Which is only possible by connecting 
physically to it with a notebook and inserting an USB stick.

Which begs the question: where do you source an USB stick with the same 
trust-level as the 20k-a-pop HSM?