open_pg_tde 2.3.0 provides Transparent Data Encryption for upstream PostgreSQL 16, 17, and 18. No vendor server fork is required: you apply the gated core patch to a stock PostgreSQL source tree and build the extension against it.
Highlights since 2.2.0
- Native PostgreSQL 16, 17, and 18 through the gated core patch (
patches/postgresql/<major>/). With the flag off, the tree builds as unmodified PostgreSQL. - Temporary file encryption (
encrypt_temp_files), AES-128-XTS with a memory-only per-boot key. - AES-256-XTS data cipher (
open_pg_tde.data_cipher = aes_256_xts), alongside AES-128-XTS and the CBC ciphers. - FIPS enforcement (
open_pg_tde.require_fips): all cryptography uses FIPS-approved modes. - New documentation: threat model, FIPS compliance, comparison with Percona pg_tde, and a performance baseline.
- Data-checksum torn-page safety, with a startup warning when neither data checksums nor
wal_log_hintsis enabled.
Source tarballs
Each tarball is a complete source tree (including the libkmip submodule) carrying only the core patch for its PostgreSQL major:
| PostgreSQL | Tarball |
|---|---|
| 18 | open_pg_tde-2.3.0-pg18.tar.gz |
| 17 | open_pg_tde-2.3.0-pg17.tar.gz |
| 16 | open_pg_tde-2.3.0-pg16.tar.gz |
Verify with sha256sum -c SHA256SUMS. To build, apply the core patch to a matching stock PostgreSQL source tree (patches/postgresql/apply.sh) and build the extension against that install. See documentation/docs/install-from-source.md.