Re: Enquiry about TDE with PgSQL

On Mon, 2025-11-03 at 11:56 -0500, Bruce Momjian wrote:
> The problem with the Percona extension is it seems like it was developed
> mostly/all by Percona employees, meaning development was driven/steered
> by Percona, and there was insufficient feedback from the community for
> it to be polished enough to be a general community solution.

Reading a Percona blog, it looks like you need a modified server to get
to encrypt WAL, and they probably have no support for encrypting
temporary files.  So I'd say that TDE can probably not be a pure extension.
Perhaps somebody from Percona can confirm.

But I don't think it's a shortage of implementations for TDE that is the
problem.

Since you say that encrypting the temp files is the biggest hurdle for
community acceptance, what about a first version that does not encrypt
temp files?  For one, that will be good for encrypted backups (which is
one of the good use cases for TDE), and then you could argue that temp
files are not data *at rest*, so data-at-rest-encryption does not apply
to them.  Rome wasn't built in a day, and neither were parallel query
or declarative partitioning.

Yours,
Laurenz Albe