Skip to content

Releases: commandprompt/open_pg_tde

Release list

open_pg_tde 2.3.0

Choose a tag to compare

@jdatcmd jdatcmd released this 07 Jul 23:23

open_pg_tde 2.3.0 provides Transparent Data Encryption for upstream PostgreSQL 16, 17, and 18. No vendor server fork is required: you apply the gated core patch to a stock PostgreSQL source tree and build the extension against it.

Highlights since 2.2.0

  • Native PostgreSQL 16, 17, and 18 through the gated core patch (patches/postgresql/<major>/). With the flag off, the tree builds as unmodified PostgreSQL.
  • Temporary file encryption (encrypt_temp_files), AES-128-XTS with a memory-only per-boot key.
  • AES-256-XTS data cipher (open_pg_tde.data_cipher = aes_256_xts), alongside AES-128-XTS and the CBC ciphers.
  • FIPS enforcement (open_pg_tde.require_fips): all cryptography uses FIPS-approved modes.
  • New documentation: threat model, FIPS compliance, comparison with Percona pg_tde, and a performance baseline.
  • Data-checksum torn-page safety, with a startup warning when neither data checksums nor wal_log_hints is enabled.

Source tarballs

Each tarball is a complete source tree (including the libkmip submodule) carrying only the core patch for its PostgreSQL major:

PostgreSQL Tarball
18 open_pg_tde-2.3.0-pg18.tar.gz
17 open_pg_tde-2.3.0-pg17.tar.gz
16 open_pg_tde-2.3.0-pg16.tar.gz

Verify with sha256sum -c SHA256SUMS. To build, apply the core patch to a matching stock PostgreSQL source tree (patches/postgresql/apply.sh) and build the extension against that install. See documentation/docs/install-from-source.md.