Bruce Momjian shares an update:
I first blogged about Transparent Data Encryption (tde) in 2019, which was more thoroughly analyzed in a blog post in 2023. An email exchange in December 2024 summarized the most up-to-date status of this feature:
When I started focusing on tde, it was going to require changes to buffer reads/writes, wal, and require a way to store secret keys. I thought those changes would be acceptable given tde’s security value. Once file I/O changes were required, I think the balance tilted to tde requiring too many code changes given its security value (not policy compliance value).
Read on for Bruce’s take now. Coming from the SQL Server world, where TDE has been in the product since 2008, I generally agree that there are better ways to ensure regulatory compliance. It’s not like TDE is actively harmful or anything, but considering that all of the relevant keys and certificates need to be on the local server to begin with, this prevents a limited number of situations from exposing your data, and there tend to be less resource-intensive alternatives for those situations.