From 6d3a9701670691fa67e631712b6f56c1926b501d Mon Sep 17 00:00:00 2001 From: Anastasia Alexandrova Date: Mon, 24 Feb 2025 17:00:32 +0100 Subject: [PATCH] PG-1303 Added deprecation label to PG community version and tde_heap_basic access method (#55) modified: contrib/pg_tde/documentation/docs/decrypt.md modified: contrib/pg_tde/documentation/docs/features.md modified: contrib/pg_tde/documentation/docs/index.md modified: contrib/pg_tde/documentation/docs/table-access-method.md modified: contrib/pg_tde/documentation/mkdocs.yml --- contrib/pg_tde/documentation/docs/decrypt.md | 17 +---------------- contrib/pg_tde/documentation/docs/features.md | 18 ++++++++++-------- contrib/pg_tde/documentation/docs/index.md | 15 +++++---------- .../documentation/docs/table-access-method.md | 11 +++-------- 4 files changed, 19 insertions(+), 42 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/decrypt.md b/contrib/pg_tde/documentation/docs/decrypt.md index fa8c17efaae..5ce489c34d9 100644 --- a/contrib/pg_tde/documentation/docs/decrypt.md +++ b/contrib/pg_tde/documentation/docs/decrypt.md @@ -2,7 +2,7 @@ ## Method 1. Change the access method -If you encrypted a table with the `tde_heap` or `tde_heap_basic` access method and need to decrypt it, run the following command against the desired table (`mytable` in the example below): +If you encrypted a table with the `tde_heap` access method and need to decrypt it, run the following command against the desired table (`mytable` in the example below): ``` ALTER TABLE mytable SET ACCESS METHOD heap; @@ -22,21 +22,6 @@ SELECT pg_tde_is_encrypted('mytable'); The output returns `f` meaning that the table is no longer encrypted. -!!! note "" - - In the same way you can re-encrypt the data with the `tde_heap_basic` access method. - - ``` - ALTER TABLE mytable SET ACCESS METHOD tde_heap_basic; - ``` - - Note that the indexes and WAL files will no longer be encrypted. - - Run a simple `count(*)` on your table to check every tuple for visibility and set the hint bits: - - ``` - SELECT count(*) FROM mytable; - ``` ## Method 2. Create a new unencrypted table on the base of the encrypted one diff --git a/contrib/pg_tde/documentation/docs/features.md b/contrib/pg_tde/documentation/docs/features.md index b62ca50bc4a..3548c6deb22 100644 --- a/contrib/pg_tde/documentation/docs/features.md +++ b/contrib/pg_tde/documentation/docs/features.md @@ -4,14 +4,16 @@ We provide `pg_tde` in two versions for both PostgreSQL Community and [Percona S The following table provides features available for each version: -| PostgreSQL Community version | Percona Server for PostgreSQL version
| -|----------------------|-------------------------------| -| Table encryption:
- data tables,
- TOAST tables
- temporary tables created during the database operation.

Metadata of those tables is not encrypted. | Table encryption:
- data tables,
- **Index data for encrypted tables**,
- TOAST tables,
- temporary tables created during the database operation.

Metadata of those tables is not encrypted. | -| Write-Ahead Log (WAL) encryption of data in encrypted tables | **Global** Write-Ahead Log (WAL) encryption: for data in encrypted and non-encrypted tables | -| Multi-tenancy support| Multi-tenancy support | -| Table-level granularity |Table-level granularity | -| Key management via:
- HashiCorp Vault;
- Local keyfile | Key management via:
- HashiCorp Vault;
- KMIP server;
- Local keyfile| -| | Logical replication of encrypted tables | +| Percona Server for PostgreSQL version | PostgreSQL Community version (deprecated) | +|-------------------------------|----------------------| +| Table encryption:
- data tables,
- **Index data for encrypted tables**,
- TOAST tables,
- temporary tables created during the database operation.

Metadata of those tables is not encrypted. | Table encryption:
- data tables,
- TOAST tables
- temporary tables created during the database operation.

Metadata of those tables is not encrypted. | +| **Global** Write-Ahead Log (WAL) encryption: for data in encrypted and non-encrypted tables | Write-Ahead Log (WAL) encryption of data in encrypted tables | +| Single-tenancy support via global keyring provider | | +| Multi-tenancy support | Multi-tenancy support | +| Table-level granularity | Table-level granularity | +| Key management via:
- HashiCorp Vault;
- KMIP server;
- Local keyfile | Key management via:
- HashiCorp Vault;
- Local keyfile | +| Logical replication of encrypted tables | | + diff --git a/contrib/pg_tde/documentation/docs/index.md b/contrib/pg_tde/documentation/docs/index.md index 19677410721..81390a741af 100644 --- a/contrib/pg_tde/documentation/docs/index.md +++ b/contrib/pg_tde/documentation/docs/index.md @@ -24,10 +24,7 @@ Learn more [what is Transparent Data Encryption](tde.md#how-does-it-work) and [w ## Known limitations * Keys in the local keyfile are stored unencrypted. For better security we recommend using the Key management storage. -* System tables are currently not encrypted. -* Currently you cannot update the configuration of an existing Key Management Store (KMS). If its configuration changes (e.g. your Vault server has a new URL), you must set up a new key provider in `pg_tde` and create new keys there. Both the KMS and PostgreSQL servers must be up and running during these changes. [Reach out to our experts](https://www.percona.com/about/contact) for help and to outline the best update path for you. - - We plan to introduce the way to update the configuration of an existing KMS in future releases. +* System tables are currently not encrypted. This means that statistics data and database metadata are currently not encrypted. * `pg_rewind` doesn't work with encrypted WAL for now. We plan to fix it in future releases. @@ -42,15 +39,13 @@ The `pg_tde` extension comes in two distinct versions with specific access metho This `pg_tde` version is based on and supported for [Percona Server for PostgreSQL 17.x :octicons-link-external-16:](https://docs.percona.com/postgresql/17/postgresql-server.html) - an open source binary drop-in replacement for PostgreSQL Community. It provides the `tde_heap` access method and offers [full encryption capabilities](features.md). -* **Community version** - - This version is supported for PostgreSQL Community 16 and 17, and Percona Distribution for PostgreSQL 16. It provides the `tde_heap_basic` access method, offering limited encryption features. The limitations are in encrypting WAL data only for tables created using the extension and no support of index encryption nor logical replication. +* **Community version** (deprecated) -### Which version to chose? + This version is available with PostgreSQL Community 16 and 17, and Percona Distribution for PostgreSQL 16. It provides the `tde_heap_basic` access method, offering limited encryption features. The limitations are in encrypting WAL data only for tables created using the extension and no support of index encryption nor logical replication. -Use the community version and the `tde_heap_basic` access method for data sets where indexing is not mandatory or index encryption is not required. Check the [upstream documentation :octicons-link-external-16:](https://github.com/percona/pg_tde/blob/main/README.md) how to get started. +### Which version to choose? -Otherwise, enjoy full encryption with the Percona Server for PostgreSQL version and the `tde_heap` access method. +Enjoy full encryption with the Percona Server for PostgreSQL version and the `tde_heap` access method. The Community version is deprecated and is planned to be removed in future releases. Still not sure? [Contact our experts](https://www.percona.com/about/contact) to find the best solution for you. diff --git a/contrib/pg_tde/documentation/docs/table-access-method.md b/contrib/pg_tde/documentation/docs/table-access-method.md index 32a04b0f3d0..818ac7f479f 100644 --- a/contrib/pg_tde/documentation/docs/table-access-method.md +++ b/contrib/pg_tde/documentation/docs/table-access-method.md @@ -55,11 +55,8 @@ Here's how you can set the new default table access method: === "via the SQL statement" - Use the `ALTER SYSTEM` command. This requires superuser or `ALTER SYSTEM` privileges. - - This example shows how to set the `tde_heap` access method. Replace it with the `tde_heap_basic` if needed. - - + Use the `ALTER SYSTEM` command. This requires superuser or ALTER SYSTEM privileges. + ```sql ALTER SYSTEM SET default_table_access_method = tde_heap; ``` @@ -68,8 +65,6 @@ Here's how you can set the new default table access method: Edit the `postgresql.conf` configuration file and add the value for the `default_table_access_method` parameter. - This example shows how to set the `tde_heap` access method. Replace it with the `tde_heap_basic` if needed. - ```ini default_table_access_method = 'tde_heap' ``` @@ -82,7 +77,7 @@ Here's how you can set the new default table access method: You also don't need to have the superuser privileges to run the `SET` command. - You can run the SET command anytime during the session. This example shows how to set the `tde_heap` access method. Replace it with the `tde_heap_basic` if needed. + You can run the SET command anytime during the session. ```sql SET default_table_access_method = tde_heap;