Transparent Data Encryption: The Best Way to Secure Your Data in PostgreSQL

Welcome to the open source implementation of PostgreSQL Transparent Data Encryption!

This question was posed on the PostgreSQL forum, and the good news is that it’s actually pretty easy to do!

Q: Is it possible to automate the steps to enable pg_tde for all new databases?
A: Yes!

Here’s the routine:

• • Part I: Download Percona Distribution for PostgreSQL and the pg_tde extension

• • Part II: Configure pg_tde, permitting the encryption of tables

Part I

Getting pg_tde

The best way to get pg_tde is through Percona’s Distribution of PostgreSQL, which includes a curated collection of packages and extensions for enterprise production environments.

The long-term goal is to enable pg_tde across all Postgres implementations, irrespective of source repository. Community efforts are currently underway to tweak the Postgres base code, making this possible.

Here’s what you need to do on Ubuntu 24.04 (noble)…

Log in to your distro and perform the following as “root”:

You’ll need to install Percona Distribution for PostgreSQL:

Installing Percona Distribution for PostgreSQL, among many other packages and extensions, includes the pg_tde extension.

Note: Pay attention to the distribution version as the repository is constantly being updated.

Install PostgreSQL, and the data cluster is created and started automatically:

Enable pg_tde on the data cluster and restart the service:

Part II

Enabling and configuring table encryption across the data cluster

Enabling table encryption requires creating the extension in the database.

Here are the steps:

• • Step 1: Create the template database and create the extension pg_tde

• • Step 2:
    
    
    • • Create your database i.e., db01
    
    
    • • Add the “global” key provider via one of the two following methods:
        
        
        1. 1. keyfile (localhost)
        
        
        1. 1. key management server
              In production, it is recommended to use a key management server, such as, for example, but not limited to, Hashicorp’s vault.
        
        
        
    
    
    • • Set the key
    
    
    

• • Step 3: Create the user-defined database, log in, and create the table(s)/relation(s) as required

There are two methods for registering the provider.

1. 1. Per database

1. 1. Globally, across the data cluster

To keep things as simple as possible, we’ll use the global approach: register once, use everywhere.

Step 1: Create the template database

One can save effort by creating a “template” database; execute the following as postgres:

Step 2: Add the key provider and set the key

Log in to the template database and add the key provider.

Recall, we’re using a local keyfile, which can be located anywhere on the physical host that the PostgreSQL process owner can access.

Step 3: Create the user-defined database and encrypted tables

Creating the encrypted table is easy, as all that’s required is specifying the relation’s access method, i.e., “tde_heap”. Note that you can have both encrypted and unencrypted tables in the same database:

Since both the provider and key are global, it means creating new, encrypted databases requires minimal effort.

Conclusion

The next step in your journey into PostgreSQL transparent data encryption is to familiarize yourself with the full API and learn how to work with the key management server. References are included below.

References

• • PostgreSQL:
    
    
    • • Reference documentation, version 17
    
    
    

• • Percona:
    
    
    • • Percona Server for PostgreSQL
    
    
    • • pg_tde documentation
    
    
    • • pg_tde github
    
    
    

• • KMIP, specs
    
    
    • • Wikipedia
    
    
    • • Protocol specification, version 3.0
    
    
    • • Community