pg_tde

Percona pg_tde access method

Overview

Package	Version	Category	License	Language
`pg_tde`	`2.1`	SEC	MIT	C

ID	Extension	Bin	Lib	Load	Create	Trust	Reloc	Schema
7500	`pg_tde`	No	Yes	Yes	Yes	No	No	-

Related	`pgsodium` `pgsmcrypto` `pgcrypto` `anon` `pgcryptokey` `faker` `sslutils` `uuid-ossp`

works on percona postgres tde fork

Version

Type	Repo	Version	PG Ver	Package	Deps
EXT	PIGSTY	`2.1`	1817161514	`pg_tde`	-
RPM	PIGSTY	`2.1.1`	1817161514	`percona-postgresql$v`	-
DEB	PIGSTY	`2.1.1`	1817161514	`percona-postgresql-$v`	-

OS / PG	PG18	PG17	PG16	PG15	PG14
el8.x86_64	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS
el8.aarch64	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS
el9.x86_64	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS
el9.aarch64	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS
el10.x86_64	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS
el10.aarch64	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS
d12.x86_64	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS
d12.aarch64	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS
d13.x86_64	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS
d13.aarch64	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS
u22.x86_64	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS
u22.aarch64	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS
u24.x86_64	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS
u24.aarch64	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS	PIGSTY MISS

Install

You can install pg_tde directly. First, make sure the PGDG and PIGSTY repositories are added and enabled:

pig repo add pgsql -u          # Add repo and update cache

Install the extension using pig or apt/yum/dnf:

pig install pg_tde;          # Install for current active PG version

pig ext install -y pg_tde -v 18  # PG 18
pig ext install -y pg_tde -v 17  # PG 17

dnf install -y percona-postgresql18       # PG 18
dnf install -y percona-postgresql17       # PG 17

apt install -y percona-postgresql-18   # PG 18
apt install -y percona-postgresql-17   # PG 17

Preload:

shared_preload_libraries = 'pg_tde';

Create Extension:

CREATE EXTENSION pg_tde;

Usage

pg_tde: Transparent Data Encryption for PostgreSQL

pg_tde provides Transparent Data Encryption (TDE) at the file level, encrypting tuples, WAL, and indexes. It works with the tde_heap access method and supports keyringfile and external Key Management Systems (KMS).

CREATE EXTENSION pg_tde;

Configuration

Add to postgresql.conf:

shared_preload_libraries = 'pg_tde'

Setting Up a Key Provider

-- File-based key provider (database-level)
SELECT pg_tde_add_database_key_provider_file('file_keyring', '/path/to/keyring');

-- Or global-level key provider
SELECT pg_tde_add_global_key_provider_file('file_keyring', '/path/to/keyring');

-- Set the encryption key using a database key provider
SELECT pg_tde_set_key_using_database_key_provider('my_key', 'file_keyring');

-- Or using a global key provider
SELECT pg_tde_set_key_using_global_key_provider('my_key', 'file_keyring');

Creating Encrypted Tables

CREATE TABLE sensitive_data (
    id serial PRIMARY KEY,
    secret text
) USING tde_heap;

All data in tables created with USING tde_heap is transparently encrypted on disk.

Checking Encryption Status

SELECT pg_tde_is_encrypted('sensitive_data');

Additional Functions

Function	Description
`pg_tde_add_database_key_provider_file(name, path)`	Add a file-based database key provider
`pg_tde_add_global_key_provider_file(name, path)`	Add a file-based global key provider
`pg_tde_add_database_key_provider_vault_v2(...)`	Add a HashiCorp Vault database key provider
`pg_tde_add_global_key_provider_vault_v2(...)`	Add a HashiCorp Vault global key provider
`pg_tde_set_key_using_database_key_provider(key, provider)`	Set encryption key via database provider
`pg_tde_set_key_using_global_key_provider(key, provider)`	Set encryption key via global provider
`pg_tde_is_encrypted(table)`	Check if a table is encrypted

Notes

Works only with Percona Server for PostgreSQL 17+
Encrypts tuples, WAL, and indexes
Does not yet encrypt temporary files and statistics

Feedback

Was this page helpful?

Thanks for the feedback! Please let us know how we can improve.

Sorry to hear that. Please let us know how we can improve.

Last Modified 2026-03-12: add pg extension catalog (95749bf)