Oct
16
2023
--

Adding Transparent Data Encryption to PostgreSQL with pg_tde: Please Test

Transparent Data Encryption to PostgreSQL

PG_TDE is an experimental transparent data encryption access method for PostgreSQL 16 and beyond. This software is under active development and at a very early stage of design and implementation. In the spirit of open and transparent communication, we would appreciate your feedback and invite PostgreSQL users to test the extension and provide feedback either via the GitHub repository or in the forum.

What is TDE?

Transparent Data Encryption (TDE) offers encryption at the file level and solves the problem of protecting data at rest. This is something that is available in other databases but not provided in upstream, vanilla Postgres.

Percona has received user feedback that this would be a useful feature, so we are working on this as an open source extension for Postgres that anyone can deploy. Percona co-founder Peter Zaitsev’s blog on why PostgreSQL needs TDE highlights some of the technical and business reasons why you might want TDE. Since PostgreSQL doesn’t have TDE features yet, Percona wants to provide the TDE feature as an extension to PostgreSQL.

Running pg_tde

The following examples use Docker to demonstrate what is needed to test pg_tde.

stoker@testa:~$sudo docker run --name pg-tde -e POSTGRES_PASSWORD=mysecretpassword -d perconalab/postgres-tde-ext
2ccbe758f32348e286cb277aed17c1c3f9c880b37f92303bd2266a334096b0b1
Log in to PostgreSQL

We specified the POSTGIS_PASSWORD in the docker run command above.

stoker@testa:~$ sudo docker run -it --rm postgres psql -h 172.17.0.2 -U postgres
Password for user postgres:
psql (16.0 (Debian 16.0-1.pgdg120+1))
Type "help" for help.

Verify that pg_tde is installed

Use the psql dx command to double-check that pg_tde is installed.

postgres=# dx
List of installed extensions
Name | Version | Schema | Description
---------+---------+------------+------------------------------
pg_tde | 1.0 | public | pg_tde access method
plpgsql | 1.0 | pg_catalog | PL/pgSQL procedural language
(2 rows)

Another way to check is to try to create the pg_tde extension. The server should inform you that it is already installed. If you create a new database, you will have to re-create the extension side of it as below.

postgres=# CREATE EXTENSION pg_tde;
ERROR: extension "pg_tde" already exists
postgres=#

Now, we can create a table that uses pg_tde.

postgres=# CREATE TABLE sbtest1 ( id SERIAL, k INTEGER DEFAULT '0' NOT NULL, PRIMARY KEY (id)) USING pg_tde;
CREATE TABLE

And now you can insert data, delete data, update data, and do all the DML you are used to with PostgreSQL.

postgres=# SELECT cmin, cmax, xmin, xmax, ctid, * FROM sbtest1;

cmin | cmax | xmin | xmax | ctid | id | k
------+------+------+------+--------+----+----
0 | 0 | 744 | 0 | (0,1) | 1 | 1
0 | 0 | 744 | 0 | (0,2) | 2 | 2
0 | 0 | 744 | 0 | (0,3) | 3 | 3
0 | 0 | 744 | 0 | (0,7) | 7 | 7
0 | 0 | 744 | 0 | (0,8) | 8 | 8
0 | 0 | 744 | 0 | (0,9) | 9 | 9
0 | 0 | 744 | 0 | (0,10) | 10 | 10
0 | 0 | 746 | 0 | (0,11) | 11 | 11
0 | 0 | 746 | 0 | (0,12) | 12 | 12
0 | 0 | 746 | 0 | (0,13) | 13 | 13
(10 rows)

postgres=#

Please test pg_tde

Percona wants to make pg_tde your choice of TDE encryption, and for that, we need as many people testing and providing feedback as possible.

Follow the directions above or on the Github repository. Please let us know what you like and what you dislike about pg_tde. Let Percona know about any issues you discover, tell us what additional tooling about pg_tde you would like to have, and any other feedback.

This is open source software, and the old adage about having many eyeballs on the code to ensure its quality is applicable here, as Percona wants your input.

Percona Distribution for PostgreSQL provides the best and most critical enterprise components from the open-source community, in a single distribution, designed and tested to work together.

 

Download Percona Distribution for PostgreSQL Today!

Powered by WordPress | Theme: Aeros 2.0 by TheBuckmaker.com