Skip to content

commandprompt/open_pg_tde

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1,553 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

open_pg_tde

Transparent Data Encryption for upstream PostgreSQL

OpenSSF Scorecard PostgreSQL 16 | 17 | 18 License: PostgreSQL


open_pg_tde is a PostgreSQL extension that encrypts data at rest. It provides the tde_heap access method, so tables, their indexes, TOAST, and the write-ahead log are encrypted on disk while remaining transparent to queries. It runs on upstream PostgreSQL 16, 17, and 18, with no vendor server fork required.

open_pg_tde is an open fork of pg_tde, maintained by Command Prompt, Inc. See how they differ in the comparison with pg_tde.

Features

  • Per-table encryption with the tde_heap access method. The cipher is recorded per table, so encrypted and plain tables coexist.
  • Encrypted at rest: table data, indexes, TOAST, the WAL, and temporary (query-spill) files. System catalogs and statistics are not encrypted; see the threat model.
  • Data ciphers: AES-128-XTS (default), AES-256-XTS, AES-128-CBC, and AES-256-CBC, selected with open_pg_tde.data_cipher. The WAL uses AES-CTR.
  • Key management: a two-tier hierarchy (a principal key wraps per-relation keys), with a keyring file, KMIP-compatible systems, or OpenBao as providers, per database or cluster-wide.
  • FIPS: all cryptography runs through OpenSSL with FIPS-approved modes, and the server can be required to start only in OpenSSL FIPS mode. See FIPS compliance.
  • Upstream PostgreSQL: a gated core patch adds the storage-manager and WAL hooks. With the flag off, the tree builds as unmodified PostgreSQL.

Supported PostgreSQL versions

Version Status
18 Supported
17 Supported
16 Supported (minimum)
19 Beta port in progress (roadmap)

Installation

open_pg_tde builds against a PostgreSQL source tree patched with the open_pg_tde core patch. Apply the patch, build PostgreSQL with the hooks enabled, then build the extension against that install:

Prebuilt source tarballs for each PostgreSQL major are attached to each release.

Quick start

After installing the extension and adding open_pg_tde to shared_preload_libraries:

CREATE EXTENSION open_pg_tde;

-- Configure a key provider and a principal key (a keyring file here; use a KMS
-- in production, see the setup guide).
SELECT open_pg_tde_add_database_key_provider_file('file-keyring', '/path/to/keyring');
SELECT open_pg_tde_create_key_using_database_key_provider('my-key', 'file-keyring');
SELECT open_pg_tde_set_key_using_database_key_provider('my-key', 'file-keyring');

-- Create an encrypted table.
CREATE TABLE secret (id int, data text) USING tde_heap;
SELECT open_pg_tde_is_encrypted('secret');  -- t

See the setup guide for key management, WAL encryption, and enabling encryption by default.

Documentation

The full documentation source is in documentation/.

Setup and configuration Install, key providers, encrypted tables
Key management Keyring file, KMIP, OpenBao
GUC variables All settings
Functions Helper functions
Threat model What encryption at rest does and does not protect
FIPS compliance Approved algorithms and FIPS mode
Comparison with Percona pg_tde How the fork differs

Contributing

Contributions are welcome. See CONTRIBUTING.md for building, testing, and coding standards, and RELEASING.md for how releases are built. All C code follows the PostgreSQL coding conventions.

License

open_pg_tde is distributed under the PostgreSQL License. It retains the original copyright for the derived work. Command Prompt, Inc. maintains open_pg_tde and is not affiliated with Percona.

About

open_pg_tde - Transparent Data Encryption for native PostgreSQL. An open fork of Percona pg_tde, maintained by Command Prompt, Inc.

Resources

Code of conduct

Contributing

Security policy

Stars

3 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors