Transparent Data Encryption for upstream PostgreSQL
open_pg_tde is a PostgreSQL extension that encrypts data at rest. It provides
the tde_heap access method, so tables, their indexes, TOAST, and the
write-ahead log are encrypted on disk while remaining transparent to queries. It
runs on upstream PostgreSQL 16, 17, and 18, with no vendor server fork
required.
open_pg_tdeis an open fork ofpg_tde, maintained by Command Prompt, Inc. See how they differ in the comparison with pg_tde.
- Per-table encryption with the
tde_heapaccess method. The cipher is recorded per table, so encrypted and plain tables coexist. - Encrypted at rest: table data, indexes, TOAST, the WAL, and temporary (query-spill) files. System catalogs and statistics are not encrypted; see the threat model.
- Data ciphers: AES-128-XTS (default), AES-256-XTS, AES-128-CBC, and
AES-256-CBC, selected with
open_pg_tde.data_cipher. The WAL uses AES-CTR. - Key management: a two-tier hierarchy (a principal key wraps per-relation keys), with a keyring file, KMIP-compatible systems, or OpenBao as providers, per database or cluster-wide.
- FIPS: all cryptography runs through OpenSSL with FIPS-approved modes, and the server can be required to start only in OpenSSL FIPS mode. See FIPS compliance.
- Upstream PostgreSQL: a gated core patch adds the storage-manager and WAL hooks. With the flag off, the tree builds as unmodified PostgreSQL.
| Version | Status |
|---|---|
| 18 | Supported |
| 17 | Supported |
| 16 | Supported (minimum) |
| 19 | Beta port in progress (roadmap) |
open_pg_tde builds against a PostgreSQL source tree patched with the
open_pg_tde core patch. Apply the patch, build PostgreSQL with the hooks
enabled, then build the extension against that install:
- Install from source, the step-by-step guide.
patches/postgresql/README.md, the per-version patch series and status.
Prebuilt source tarballs for each PostgreSQL major are attached to each release.
After installing the extension and adding open_pg_tde to
shared_preload_libraries:
CREATE EXTENSION open_pg_tde;
-- Configure a key provider and a principal key (a keyring file here; use a KMS
-- in production, see the setup guide).
SELECT open_pg_tde_add_database_key_provider_file('file-keyring', '/path/to/keyring');
SELECT open_pg_tde_create_key_using_database_key_provider('my-key', 'file-keyring');
SELECT open_pg_tde_set_key_using_database_key_provider('my-key', 'file-keyring');
-- Create an encrypted table.
CREATE TABLE secret (id int, data text) USING tde_heap;
SELECT open_pg_tde_is_encrypted('secret'); -- tSee the setup guide for key management, WAL encryption, and enabling encryption by default.
The full documentation source is in documentation/.
| Setup and configuration | Install, key providers, encrypted tables |
| Key management | Keyring file, KMIP, OpenBao |
| GUC variables | All settings |
| Functions | Helper functions |
| Threat model | What encryption at rest does and does not protect |
| FIPS compliance | Approved algorithms and FIPS mode |
| Comparison with Percona pg_tde | How the fork differs |
Contributions are welcome. See CONTRIBUTING.md for building,
testing, and coding standards, and RELEASING.md for how
releases are built. All C code follows the
PostgreSQL coding conventions.
open_pg_tde is distributed under the PostgreSQL License. It retains the original copyright for the derived work.
Command Prompt, Inc. maintains open_pg_tde and is not affiliated with Percona.