In the implementation of TDE, why is encryption performed before compression? What is the rationale behind this?

[wsg314]

From the perspective of TDE function implementation, the sequence of operations when reading data is: read data -> decompress data -> decrypt data; when writing data, the sequence is: encrypt data -> compress data -> write data to disk. Placing the encryption operation before the compression operation almost renders the compression ineffective. Why is this processing method adopted?

[kongfanshen-0801]

Generally, data should be compressed first and then encrypted when written.
However, when TDE was first designed, it mainly aimed to support heap tables, which do not support compression.
AO/AOCS tables were implemented later; to keep the code simple, the same codebase was reused, so the order of compression and encryption was not taken into account.

[wsg314]

Do you have any plans to readjust the processing sequence in the future?

[kongfanshen-0801]

I am working on other projects and have no plans to process the encryption and compression sequence issues.

[tuhaihe]

Hi @wsg314 welcome to contribute if you have a chance. 🫶