The tech preview version of the pg_tde extension for PostgreSQL 16 was released on March 28th, with many improvements compared to our previous MVP release. In addition to lots of bug fixes, the new release supports multi-tenancy and key rotation with a simplified configuration mechanism. Note that the Tech Preview release is not recommended for production environments but can be used for dev environments.

Try out pg_tde!

The extension can be downloaded from the experimental Percona repositories, for example, using the following instructions for Ubuntu:

For CentOS/RHEL instructions, check out our documentation.

Alternatively, for an even easier setup, consider trying our Docker image with everything set up for you!

Setting up (multi-tenant) encryption

In the previous release, the pg_tde configuration was in a separate read-only file: it had to be created before the Postgres process was started.

In this new release, pg_tde still requires a server restart, as it has to be added to the shared_preload_libraries in postgresql.conf,

but the configuration is now done using SQL functions per database.

This means that if pg_tde is used in multiple databases, it has to be configured separately for all databases, but it also allows different databases to use different key storages and keys, and ensures that these stay separated during the entire life of the database.

While the extension still supports both storing keys in a local file and in a (remote) HashiCorp Vault server, we recommend the latter, as file-based storage is only intended for development and demos.

To set up encryption for a database, execute the following SQL commands in psql or another client:

These instructions will configure pg_tde in the given database to use the specified vault server (with vault_url, vault_secret_token, vault_mount_point, and the optional vault_ca_path for HTTP connections) and create a key named name-of-the-master-key-1 on the Vault server.

After executing these commands, you can now create tables using the pg_tde access method, and these tables will write encrypted data to the disk:

Please note that similarly to the previous MVP release, the tech preview release only encrypts the table data itself, but not the indexes. Any sensitive data present in the index structures will still be readable in the files.

Changing the configuration

With this new release, it is possible to change the configuration of the extension dynamically: it is both possible to generate a new master key, and/or to start using a different provider for storing the master keys.

Both operations are done using the pg_tde_rotate_key function:

Both arguments are optional and can be either a specific string or NULL. If both parameters are NULL, it is also possible to simply write:

Which will use automatic versioning and create the next version of the same key on the same provider — in our above example, it would be name-of-the-master-key-2 on provider-name-foo.

To start using a different key name, simply specify a new key name as the first parameter.

To start using a new provider, possibly of a different type, simply register a new provider, for example, with pg_tde_add_key_provider_vault_v2, then specify the name of the provider as the second parameter.

Please test and give us feedback

Explore our extension today and share your experiences with us at https://github.com/Percona-Lab/pg_tde/discussions. Have questions? We’re here to help! Your feedback is invaluable – the more instances of our software in use and the more feedback we gather, the stronger our product becomes.

Note: The Tech Preview release is not recommended for production environments but can be used for dev environments.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments