Le Tue, 11 Mar 2025 22:03:50 -0400, Ron Johnson <ronljohnsonjr@xxxxxxxxx> a écrit : > On Tue, Mar 11, 2025 at 9:48 PM Siraj G <tosiraj.g@xxxxxxxxx> wrote: > > > Hello Experts! > > > > What are the features available in Postgresql to hide PII (personal > > identifiable information) from the Admin team? Like in Oracle we have data > > vault and data redaction, I am looking for similar features in > > PostgreSQL.We do not want to do code level changes. > > Look at pgsodium. However, "no code level changes" is code for at-rest > encryption. Unless I'm wrong, pgsodium will not protect you from Admin team. The "postgres" role will always be able to read your keys or meta-data to derive them from the master key if they are stored inside the database… and root might be able to scan the memory to find the master key I suppose. Storing the keys outisde the database means code level change. Your best bet would be the Transparent Column Encryption patch, but it is stalled for one year. In last resort, I suppose selinux/sepgsql machinery can lock everything the way you want, even without encryption… good luck.
