Personal blog of Yzmir Ramirez

This fall feels like a good moment to stop and look at what’s changed in PostgreSQL security over the last months and also what you can use right now to make your PostgreSQL deployments safer. PostgreSQL Transparent Data Encryption (TDE) from Percona For many years, Transparent Data Encryption (TDE) was a missing piece for security […]

If you’re running PostgreSQL in a regulated industry, you know the frustration: your compliance auditor demands data-at-rest encryption, but PostgreSQL doesn’t offer it natively. Your only options in the past? Pay premium prices for proprietary forks or accept compliance gaps that keep you awake at night. Percona has changed that. With Percona for PostgreSQL, you […]

I would like to thank everyone who attended my webinar, “No More Workarounds: Open Source PostgreSQL TDE Is Here,” on July 23, 2025. If you missed it, you can view the recording and slides. Here are the questions I had no time to answer during the live session. If you have more questions, post them in […]

Welcome to the open source implementation of PostgreSQL Transparent Data Encryption! This question was posed on the PostgreSQL forum, and the good news is that it’s actually pretty easy to do! Q: Is it possible to automate the steps to enable pg_tde for all new databases?A: Yes! Here’s the routine: Part I: Download Percona Distribution […]

Lately, it feels like every time I go to a technical conference, someone is talking about how great PostgreSQL is. I’d think it’s just me noticing, but the rankings and surveys say otherwise. PostgreSQL is simply very popular. From old-school bare metal setups to VMs, containers, and fully managed cloud databases, PostgreSQL keeps gaining ground. And […]

PostgreSQL is, without a doubt, one of the most popular open source databases in the world. Why? Well, there are many reasons, but if I had to pick just one, I’d say it’s extensibility. PostgreSQL isn’t just a database; it’s an ecosystem of extensions that can transform it to tackle any upcoming challenges. By enabling […]

If you’re managing a PostgreSQL database and handling sensitive data or PII, the answer is simple: You need data-at-rest encryption. This isn’t just a “nice-to-have” feature—it’s often a legal or regulatory requirement. Compliance auditors, security officers, and privacy-conscious customers all expect it.  But is this enough?  We think NO! The reality check: No native TDE […]

PG_TDE is an experimental transparent data encryption access method for PostgreSQL 16 and beyond. This software is under active development and at a very early stage of design and implementation. In the spirit of open and transparent communication, we would appreciate your feedback and invite PostgreSQL users to test the extension and provide feedback either via the GitHub repository or in the forum.

What is TDE?

Transparent Data Encryption (TDE) offers encryption at the file level and solves the problem of protecting data at rest. This is something that is available in other databases but not provided in upstream, vanilla Postgres.

Percona has received user feedback that this would be a useful feature, so we are working on this as an open source extension for Postgres that anyone can deploy. Percona co-founder Peter Zaitsev’s blog on why PostgreSQL needs TDE highlights some of the technical and business reasons why you might want TDE. Since PostgreSQL doesn’t have TDE features yet, Percona wants to provide the TDE feature as an extension to PostgreSQL.

Running pg_tde

The following examples use Docker to demonstrate what is needed to test pg_tde.

stoker@testa:~$sudo docker run --name pg-tde -e POSTGRES_PASSWORD=mysecretpassword -d perconalab/postgres-tde-ext
2ccbe758f32348e286cb277aed17c1c3f9c880b37f92303bd2266a334096b0b1
Log in to PostgreSQL

We specified the POSTGIS_PASSWORD in the docker run command above.

stoker@testa:~$ sudo docker run -it --rm postgres psql -h 172.17.0.2 -U postgres
Password for user postgres:
psql (16.0 (Debian 16.0-1.pgdg120+1))
Type "help" for help.

Verify that pg_tde is installed

Use the psql dx command to double-check that pg_tde is installed.

postgres=# dx
List of installed extensions
Name | Version | Schema | Description
---------+---------+------------+------------------------------
pg_tde | 1.0 | public | pg_tde access method
plpgsql | 1.0 | pg_catalog | PL/pgSQL procedural language
(2 rows)

Another way to check is to try to create the pg_tde extension. The server should inform you that it is already installed. If you create a new database, you will have to re-create the extension side of it as below.

postgres=# CREATE EXTENSION pg_tde;
ERROR: extension "pg_tde" already exists
postgres=#

Now, we can create a table that uses pg_tde.

postgres=# CREATE TABLE sbtest1 ( id SERIAL, k INTEGER DEFAULT '0' NOT NULL, PRIMARY KEY (id)) USING pg_tde;
CREATE TABLE

And now you can insert data, delete data, update data, and do all the DML you are used to with PostgreSQL.

postgres=# SELECT cmin, cmax, xmin, xmax, ctid, * FROM sbtest1;

cmin | cmax | xmin | xmax | ctid | id | k
------+------+------+------+--------+----+----
0 | 0 | 744 | 0 | (0,1) | 1 | 1
0 | 0 | 744 | 0 | (0,2) | 2 | 2
0 | 0 | 744 | 0 | (0,3) | 3 | 3
0 | 0 | 744 | 0 | (0,7) | 7 | 7
0 | 0 | 744 | 0 | (0,8) | 8 | 8
0 | 0 | 744 | 0 | (0,9) | 9 | 9
0 | 0 | 744 | 0 | (0,10) | 10 | 10
0 | 0 | 746 | 0 | (0,11) | 11 | 11
0 | 0 | 746 | 0 | (0,12) | 12 | 12
0 | 0 | 746 | 0 | (0,13) | 13 | 13
(10 rows)

postgres=#

Please test pg_tde

Percona wants to make pg_tde your choice of TDE encryption, and for that, we need as many people testing and providing feedback as possible.

Follow the directions above or on the Github repository. Please let us know what you like and what you dislike about pg_tde. Let Percona know about any issues you discover, tell us what additional tooling about pg_tde you would like to have, and any other feedback.

This is open source software, and the old adage about having many eyeballs on the code to ensure its quality is applicable here, as Percona wants your input.

Percona Distribution for PostgreSQL provides the best and most critical enterprise components from the open-source community, in a single distribution, designed and tested to work together.

 

Download Percona Distribution for PostgreSQL Today!