(A) What are the recommended ways to encode Postrgres data at rest (tables+indexes+rows)? The Postgres documentation suggests options [0], but I have no familiarity with any. I prefer to not purchase something.
(B) When configuring Postgres with TLS/SSL, one needs to make private keys [1] which can lead to a prompt for a PEM pass phrase. Once all done with Postgres running, do I need to retain the PEM passkey? (The private key itself needs to be retained, of course).
[0] https://www.postgresql.org/docs/18/encryption-options.html
[1] openssl genrsa -aes256 -out
You want the encryption at rest. For that you have 3 Options:
1. Encryption in the application.
2. Use of pgcrypto as documented.
3. Encryption of the partition where postgres stores the data via LUKS or similar.
For 1. and 2. it means that indices for encrypted columns become useless and are only a waste of cpu time.
2. has the problem of transitting the key at the start of the connection, so it needs to be encrypted(tls encryption).
Its a bit of an fault with the documentation since it mixes the two types of encryption up.