pg_tde
pg_tde
pg_tde : Percona pg_tde access method
Overview
| ID | Extension | Package | Version | Category | License | Language |
|---|---|---|---|---|---|---|
| 7500 | pg_tde
|
pg_tde
|
2.1 |
SEC
|
MIT
|
C
|
| Attribute | Has Binary | Has Library | Need Load | Has DDL | Relocatable | Trusted |
|---|---|---|---|---|---|---|
--sLd--
|
No
|
Yes
|
Yes
|
Yes
|
no
|
no
|
| Relationships | |
|---|---|
| See Also | pgsodium
pgsmcrypto
pgcrypto
anon
pgcryptokey
faker
sslutils
uuid-ossp
|
works on percona postgres tde fork
Packages
| Type | Repo | Version | PG Major Compatibility | Package Pattern | Dependencies |
|---|---|---|---|---|---|
| EXT | PIGSTY
|
2.1 |
18
17
16
15
14
|
pg_tde |
- |
| RPM | PIGSTY
|
2.1.1 |
18
17
16
15
14
|
percona-postgresql$v |
- |
| DEB | PIGSTY
|
2.1.1 |
18
17
16
15
14
|
percona-postgresql-$v |
- |
| Linux / PG | PG18 | PG17 | PG16 | PG15 | PG14 |
|---|---|---|---|---|---|
el8.x86_64
|
MISS
|
MISS
|
MISS
|
MISS
|
MISS
|
el8.aarch64
|
MISS
|
MISS
|
MISS
|
MISS
|
MISS
|
el9.x86_64
|
MISS
|
MISS
|
MISS
|
MISS
|
MISS
|
el9.aarch64
|
MISS
|
MISS
|
MISS
|
MISS
|
MISS
|
el10.x86_64
|
MISS
|
MISS
|
MISS
|
MISS
|
MISS
|
el10.aarch64
|
MISS
|
MISS
|
MISS
|
MISS
|
MISS
|
d12.x86_64
|
MISS
|
MISS
|
MISS
|
MISS
|
MISS
|
d12.aarch64
|
MISS
|
MISS
|
MISS
|
MISS
|
MISS
|
d13.x86_64
|
MISS
|
MISS
|
MISS
|
MISS
|
MISS
|
d13.aarch64
|
MISS
|
MISS
|
MISS
|
MISS
|
MISS
|
u22.x86_64
|
MISS
|
MISS
|
MISS
|
MISS
|
MISS
|
u22.aarch64
|
MISS
|
MISS
|
MISS
|
MISS
|
MISS
|
u24.x86_64
|
MISS
|
MISS
|
MISS
|
MISS
|
MISS
|
u24.aarch64
|
MISS
|
MISS
|
MISS
|
MISS
|
MISS
|
Source
Install
Make sure PGDG and PIGSTY repo available:
pig repo add pgsql -u # add both repo and update cacheInstall this extension with pig:
pig install pg_tde; # install via package name, for the active PG version
pig install pg_tde -v 18; # install for PG 18
pig install pg_tde -v 17; # install for PG 17Config this extension to shared_preload_libraries:
shared_preload_libraries = 'pg_tde';Create this extension with:
CREATE EXTENSION pg_tde;Usage
pg_tde provides Transparent Data Encryption (TDE) at the file level, encrypting tuples, WAL, and indexes. It works with the tde_heap access method and supports keyringfile and external Key Management Systems (KMS).
CREATE EXTENSION pg_tde;Configuration
Add to postgresql.conf:
shared_preload_libraries = 'pg_tde'Setting Up a Key Provider
-- File-based key provider (database-level)
SELECT pg_tde_add_database_key_provider_file('file_keyring', '/path/to/keyring');
-- Or global-level key provider
SELECT pg_tde_add_global_key_provider_file('file_keyring', '/path/to/keyring');
-- Set the encryption key using a database key provider
SELECT pg_tde_set_key_using_database_key_provider('my_key', 'file_keyring');
-- Or using a global key provider
SELECT pg_tde_set_key_using_global_key_provider('my_key', 'file_keyring');Creating Encrypted Tables
CREATE TABLE sensitive_data (
id serial PRIMARY KEY,
secret text
) USING tde_heap;All data in tables created with USING tde_heap is transparently encrypted on disk.
Checking Encryption Status
SELECT pg_tde_is_encrypted('sensitive_data');Additional Functions
| Function | Description |
|---|---|
pg_tde_add_database_key_provider_file(name, path) |
Add a file-based database key provider |
pg_tde_add_global_key_provider_file(name, path) |
Add a file-based global key provider |
pg_tde_add_database_key_provider_vault_v2(...) |
Add a HashiCorp Vault database key provider |
pg_tde_add_global_key_provider_vault_v2(...) |
Add a HashiCorp Vault global key provider |
pg_tde_set_key_using_database_key_provider(key, provider) |
Set encryption key via database provider |
pg_tde_set_key_using_global_key_provider(key, provider) |
Set encryption key via global provider |
pg_tde_is_encrypted(table) |
Check if a table is encrypted |
Notes
- Works only with Percona Server for PostgreSQL 17+
- Encrypts tuples, WAL, and indexes
- Does not yet encrypt temporary files and statistics
Last updated on