Installation

Considerations

You can use the following options to manage encryption keys:

• Use the HashiCorp Vault server. This is the recommended approach. The Vault server configuration is out of scope of this document. We assume that you have the Vault server up and running. For the pg_tde configuration, you need the following information:

  • The secret access token to the Vault server
  • The URL to access the Vault server
  • (Optional) The CA file used for SSL verification

• Use the local keyfile. This approach is rather used for development and testing purposes since the keys are stored unencrypted in the specified keyfile.

Procedure

Install pg_tde using one of available installation methods:

Package managerBuild from sourceRun in Docker

Starting with Aplha1 version, you can install the extension as package from Percona repositories using the percona-release tool. The packages are available for the following operating systems:

• Red Hat Enterprise Linux and CentOS 7
• Red Hat Enterprise Linux 8 and compatible derivatives
• Red Hat Enterprise Linux 9 and compatible derivatives
• Ubuntu 20.04 (Focal Fossa)
• Ubuntu 22.04 (Jammy Jellyfish)
• Debian 10 (Buster)
• Debian 11 (Bullseye)
• Debian 12 (Bookworm)

Install on Debian or Ubuntu Install on RHEL or derivatives

1. To build pg_tde from source code, you require the following on Ubuntu/Debian:

   sudo apt install make gcc postgresql-server-dev-16 libcurl4-openssl-dev
   

2. Install Percona Distribution for PostgreSQL 16 or upstream PostgreSQL 16

3. If PostgreSQL is installed in a non standard directory, set the PG_CONFIG environment variable to point to the pg_config executable.

4. Clone the repository:

   git clone git://github.com/Percona-Lab/pg_tde
   

5. Compile and install the extension

   cd pg_tde
   ./configure
   make USE_PGXS=1
   sudo make USE_PGXS=1 install
   

You can find Docker images built from the current main branch on Docker Hub. Images are built on top of postgres:16 official image.

To run pg_tde in Docker, use the following command:

docker run --name pg-tde -e POSTGRES_PASSWORD=mysecretpassword -d perconalab/pg_tde

It builds and adds pg_tde extension to PostgreSQL 16. The postgresql.conf contains the required modifications. The pg_tde extension is added to template1 so that all new databases automatically have the pg_tde extension loaded.

Keys are not created automatically. You must configure a key provider and a principal key for each database where you wish to use encrypted tables. See the instructions in the Setup section, starting with the 4^th point, as the first 3 steps are already completed in the Docker image.

See Docker Docs on usage.

You can also build a Docker image manually with:

docker build . -f ./docker/Dockerfile -t your-image-name

Next steps

Setup

Get expert help

If you need assistance, visit the community forum for comprehensive and free database knowledge, or contact our Percona Database Experts for professional support and services.

Community Forum Get a Percona Expert