Lately, it feels like every time I go to a technical conference, someone is talking about how great PostgreSQL is. I’d think it’s just me noticing, but the rankings and surveys say otherwise. PostgreSQL is simply very popular.

From old-school bare metal setups to VMs, containers, and fully managed cloud databases, PostgreSQL keeps gaining ground. And with popularity comes higher expectations, more users mean more use cases, and that means more demand for features.

Just because Postgres is popular doesn’t mean it has everything out of the box. But one of the main drivers of PostgreSQL’s popularity is how easy it is to extend. That’s how it stays relevant. It’s like the elephant is learning to blend in, now with some chameleon camouflage features.

One big thing we’ve seen missing, especially when working with large enterprises, is encryption at rest. For many companies, this is a dealbreaker as, without it, you can’t meet internal policies or comply with industry standards and regulations.

But even the chameleon needs a few new colors. Transparent Data Encryption (TDE) still requires deeper hooks in core, which is why we’ve proposed a patch that we hope will also be useful to other extension authors. Until that’s part of upstream PostgreSQL, it’s available as open source in Percona Distribution for PostgreSQL, with a patched PostgreSQL server and the pg_tde extension.

Why is TDE such a big deal?

Data encryption at rest isn’t just a compliance checkbox; it’s about building trust. Sensitive data deserves better protection, whether it’s financial records, healthcare data, or personal information. PostgreSQL users shouldn’t have to rely on disk encryption alone or patch together external tools, often not open source. It’s time this kind of security became a first-class citizen inside the database itself.

In case you missed it: Percona has been working on this.

pg_tde extension is now GA!

We’re happy to announce that the pg_tde extension is now generally available! You can grab the latest Percona Distribution for PostgreSQL and jump into the quick-start guide in our docs. You’ll be running fully open source TDE on PostgreSQL: no licensing tricks, no lock-in.

Here’s what’s included in this release:

  • PostgreSQL server extensibility hooks
  • Fully open source extension
    • Multi-tenant support in envelope encryption model
    • Online data encryption per-table granularity
    • Index encryption for encrypted tables
    • Encryption enforcement
    • KMS integration (KMIP and Secrets Engine kv2) tested with
      • Thales Cipher Trust Manager (CTM)
      • Fortanix Key Management Service
      • Hashicorp Vault
      • OpenBao
    • Online key rotation
    • Beta feature(s)
      • WAL encryption (Beta)

What’s next?

Our main goal now is to make WAL encryption GA-ready in the coming months. We’re also planning to support TDE on previous PostgreSQL versions, provide more configuration flexibility, and work with the PostgreSQL Community to ensure the patches required for pg_tde to work are acceptable to the upstream.

Is there a feature you’d like to see in TDE or PostgreSQL in general? We’d love to hear from you. Join the conversation on the Percona Community forums, GitHub, or come talk to us at events!

And in the meantime, stay safe and secure and have fun! Dance like no one is watching, encrypt like everyone is!

Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments