@ -26,8 +26,13 @@ Lear more [what is Transparent Data Encryption](tde.md#how-does-it-work) and [wh
* Keys in the local keyfile are stored unencrypted. For better security we recommend using the Key management storage.
* System tables are currently not encrypted.
* Currently you cannot update the configuration of an existing Key Management Store (KMS). If its configuration changes (e.g. your Vault server has a new URL), you must set up a new key provider in `pg_tde` and create new keys there. Both the KMS and PostgreSQL servers must be up and running during these changes. [Reach out to our experts](https://www.percona.com/about/contact) for assistance and to outline the best update path for you.
We plan to introduce the way to update the configuration of an existing KMS in future releases.
* `pg_rewind` doesn't work with encrypted WAL for now. We plan to fix it in future releases.
<iwarning>:material-alert: Warning:</i> Note that introducing encryption/decryption affects performance. Our benchmark tests show less than 10% performance overhead for most situations. However, in some specific applications such as those using JSONB operations, performance degradation might be higher.
Anastasia Alexandrova
9 months ago
committed by