pg_tde documentation¶
pg_tde is the extension that brings in Transparent Data Encryption (TDE) to PostgreSQL and enables users to keep sensitive data safe and secure. It enables users to configure encryption differently for each database, encrypting specific tables in some databases with different encryption keys, while keeping others non encrypted.
Important
This is the Alpha1 version of the extension and is not meant for production use yet.
What’s encrypted¶
pg_tde encrypts the following:
- User data in tables, including TOAST tables, that are created using the extension. Metadata of those tables is not encrypted.
- Write-Ahead Log (WAL) data for tables created using the extension
- Temporary tables created during the database operation for data tables created using the extension
Known limitations¶
- Logical replication is not available as it doesn’t work with encrypted tables.
- Keys in the local keyfile are stored unencrypted.
- Indexes and
NULLbitmaps of tuples are currently not encrypted.
Warning: Note that introducing encryption/decryption affects performance. Our benchmark tests show less than 10% performance overhead for most situations. However, in some specific applications such as those using JSONB operations, performance degradation might be higher.
Supported PostgreSQL versions¶
pg_tde is currently based on PostgreSQL 16.0 and supported for Percona Distribution for PostgreSQL 16.x and upstream PostgreSQL 16.x.
Future releases¶
The following is planned for future releases of pg_tde:
- Encryption of indexes and
NULLbitmaps of tuples - Logical replication support
Useful links¶
Get expert help¶
If you need assistance, visit the community forum for comprehensive and free database knowledge, or contact our Percona Database Experts for professional support and services.
