On Thu, Dec 22, 2022 at 11:15:57AM +0100, Rainer Duffner wrote: > I wasn’t involved in setting it up here, but AFAIK you need to „enroll“ the > client to the HSM. > > That is a one-time process that requires HSM credentials (via certificates and > pass-phrases). > > Then, that client can talk to the HSM. > > The HSM-client is (or should be) engineered in such a way that you can’t > extract the encryption-secret easily. > > I am not sure, but IIRC, you should not even be able to clone the VM without > the HSM noticing or the clone not working at all to begin with (for lack of > enrollment). Though most production databases are too large to just „clone“. > > Maybe someone who knows more about this subject can chime in before I make a > fool of myself? This wiki should help: https://wiki.postgresql.org/wiki/Transparent_Data_Encryption Also, the first two patches in this email are doc patches which explain the benefits: https://www.postgresql.org/message-id/20210625212204.GA7256@xxxxxxxxxx -- Bruce Momjian <bruce@xxxxxxxxxx> https://momjian.us EDB https://enterprisedb.com Embrace your flaws. They make you human, rather than perfect, which you will never be.