Percona’s PostgreSQL pg_tde Extension: March Update

March 28, 2024

Author

David Stokes

Open Source

Percona Software

PostgreSQL

Share this Post:

Transparent Data Encryption is one ‘missing item’ in comparing PostgreSQL to commercial databases. Percona’s pg_tde project will correct this shortcoming. Progress is ongoing, and Percona would love your feedback, so please download and test.

Documentation

The pg_tde documentation is here. You will find many options for obtaining pg_tde – Docker images, RPM, DEB, and source code.

What pg_tde does

The pg_tde extension encrypts user data in tables, including TOAST tables, created using the pg_tde extension. You explicitly create a table with USING pg_tde to encrypt the data. There is no need to encrypt all the data in a schema, just the ones you want to protect.

CREATE TABLE test_enc (id SERIAL, t VARCHAR(32), PRIMARY KEY(id)) USING pg_tde;

1	CREATE TABLE test_enc (id SERIAL, t VARCHAR(32), PRIMARY KEY(id)) USING pg_tde;

The metadata of the encrypted tables is not encrypted. Standard PostgreSQL tools should work, but please let us know what you discover that is broken.

Write-Ahead Log (WAL) data for tables created using the extension are encrypted. It does little good to hide the table’s content if that information is floating around in a clear text log file.

Temporary tables are also encrypted when the corresponding data tables are created using the extension

How does it work?

To encrypt the data, two types of keys are used:

Database keys to encrypt user data. These are stored internally, near the data that they encrypt.

The master key encrypts database keys. It is kept separately from the database keys and is managed externally.

pg_tde is integrated with the HashiCorp Vault server to store and manage master keys. Only the back-end KV Secrets Engine – Version 2 (API) is supported.

When creating an encrypted table using pg_tde, a new random key is generated. This key is used to encrypt all data the user inserts in that table. Eventually, the encrypted data gets stored in the underlying storage.

The key itself is encrypted using the master key. The master key is stored externally in the Vault key management store.

Similarly, when the user queries the encrypted table, the master key is retrieved from the key store to decrypt the internal key. Then the same unique internal key for that table is used to decrypt the data, and unencrypted data gets returned to the user. So, effectively, every TDE table has a unique key, and each table key is encrypted using the master key.

Why do you need TDE?

Using TDE has the following benefits:

For organizations:
- Ensure data safety when at rest and in motion
- Comply with security standards like HIPAA, PCI DSS, SOC 2, ISO 27001

For DBAs:
- Allows defining what to encrypt in the table and with what key
- Encryption on the storage level is not a must to provide data safety. However, using TDE and storage-level encryption together adds another layer of data security

Stay tuned for more!

Percona Distribution for PostgreSQL provides the best and most critical enterprise components from the open-source community in a single distribution, designed and tested to work together. Run PostgreSQL in your production and mission-critical environments and easily deploy and orchestrate reliable PostgreSQL in Kubernetes.

Download Percona Distribution for PostgreSQL Today!