pg_tde
pg_tde
pg_tde : Percona pg_tde access method
Overview
| ID | Extension | Package | Version | Category | License | Language |
|---|---|---|---|---|---|---|
| 7500 | pg_tde | pg_tde | 2.1 | SEC | MIT | C |
| Attribute | Has Binary | Has Library | Need Load | Has DDL | Relocatable | Trusted |
|---|---|---|---|---|---|---|
--sLd-- | No | Yes | Yes | Yes | no | no |
| Relationships | |
|---|---|
| See Also | pgsodium pgsmcrypto pgcrypto anon pgcryptokey faker sslutils uuid-ossp |
works on percona postgres tde fork
Packages
| Type | Repo | Version | PG Major Compatibility | Package Pattern | Dependencies |
|---|---|---|---|---|---|
| EXT | PIGSTY | 2.1 | 18 17 16 15 14 | pg_tde | - |
| RPM | PIGSTY | 2.1.1 | 18 17 16 15 14 | percona-postgresql$v | - |
| DEB | PIGSTY | 2.1.1 | 18 17 16 15 14 | percona-postgresql-$v | - |
| Linux / PG | PG18 | PG17 | PG16 | PG15 | PG14 |
|---|---|---|---|---|---|
el8.x86_64 | MISS | MISS | MISS | MISS | MISS |
el8.aarch64 | MISS | MISS | MISS | MISS | MISS |
el9.x86_64 | MISS | MISS | MISS | MISS | MISS |
el9.aarch64 | MISS | MISS | MISS | MISS | MISS |
el10.x86_64 | MISS | MISS | MISS | MISS | MISS |
el10.aarch64 | MISS | MISS | MISS | MISS | MISS |
d12.x86_64 | MISS | MISS | MISS | MISS | MISS |
d12.aarch64 | MISS | MISS | MISS | MISS | MISS |
d13.x86_64 | MISS | MISS | MISS | MISS | MISS |
d13.aarch64 | MISS | MISS | MISS | MISS | MISS |
u22.x86_64 | MISS | MISS | MISS | MISS | MISS |
u22.aarch64 | MISS | MISS | MISS | MISS | MISS |
u24.x86_64 | MISS | MISS | MISS | MISS | MISS |
u24.aarch64 | MISS | MISS | MISS | MISS | MISS |
Source
Install
Make sure PGDG and PIGSTY repo available:
pig repo add pgsql -u # add both repo and update cacheInstall this extension with pig:
pig install pg_tde; # install via package name, for the active PG version
pig install pg_tde -v 18; # install for PG 18
pig install pg_tde -v 17; # install for PG 17Config this extension to shared_preload_libraries:
shared_preload_libraries = 'pg_tde';Create this extension with:
CREATE EXTENSION pg_tde;Usage
pg_tde provides Transparent Data Encryption (TDE) at the file level, encrypting tuples, WAL, and indexes. It works with the tde_heap access method and supports keyringfile and external Key Management Systems (KMS).
CREATE EXTENSION pg_tde;Configuration
Add to postgresql.conf:
shared_preload_libraries = 'pg_tde'Setting Up a Key Provider
-- File-based key provider (database-level)
SELECT pg_tde_add_database_key_provider_file('file_keyring', '/path/to/keyring');
-- Or global-level key provider
SELECT pg_tde_add_global_key_provider_file('file_keyring', '/path/to/keyring');
-- Set the encryption key using a database key provider
SELECT pg_tde_set_key_using_database_key_provider('my_key', 'file_keyring');
-- Or using a global key provider
SELECT pg_tde_set_key_using_global_key_provider('my_key', 'file_keyring');Creating Encrypted Tables
CREATE TABLE sensitive_data (
id serial PRIMARY KEY,
secret text
) USING tde_heap;All data in tables created with USING tde_heap is transparently encrypted on disk.
Checking Encryption Status
SELECT pg_tde_is_encrypted('sensitive_data');Additional Functions
| Function | Description |
|---|---|
pg_tde_add_database_key_provider_file(name, path) | Add a file-based database key provider |
pg_tde_add_global_key_provider_file(name, path) | Add a file-based global key provider |
pg_tde_add_database_key_provider_vault_v2(...) | Add a HashiCorp Vault database key provider |
pg_tde_add_global_key_provider_vault_v2(...) | Add a HashiCorp Vault global key provider |
pg_tde_set_key_using_database_key_provider(key, provider) | Set encryption key via database provider |
pg_tde_set_key_using_global_key_provider(key, provider) | Set encryption key via global provider |
pg_tde_is_encrypted(table) | Check if a table is encrypted |
Notes
- Works only with Percona Server for PostgreSQL 17+
- Encrypts tuples, WAL, and indexes
- Does not yet encrypt temporary files and statistics
Last updated on