Andrew Pogrebnoi 30cb32b5ef Move pg_tde files to one dir inside PGDATA (tablespaces issues) We use tablespaceId as a part of IV for the internal keys encryption which doesn't add any security because dbId (used as well) is unique anyway. But having tablespaceId really complicates things as a principal created for the entire database but then different relations in this db can be located in different tablespaces... So it is better not to use tablespace with the principal key (database level) as it belongs to the relation level.		10 months ago
.github	Bump actions/checkout from 4.1.1 to 4.2.2 (#352 )	10 months ago
data	Pg 1058 Fix Mergejoin issue (#323 )	11 months ago
docker	Updated CI runners	1 year ago
documentation	Update yum.md - missing repo to meet Perl dependency (#350 )	10 months ago
expected	Move tde keys and keyring when chaging tablespace	11 months ago
perf	Fixing review comments	11 months ago
sql	Move tde keys and keyring when chaging tablespace	11 months ago
src	Move pg_tde files to one dir inside PGDATA (tablespaces issues)	10 months ago
src16	Move pg_tde files to one dir inside PGDATA (tablespaces issues)	10 months ago
src17	Move pg_tde files to one dir inside PGDATA (tablespaces issues)	10 months ago
sysbench	Renamed access methods again	1 year ago
t	Use proper tablespace ID in key rotation (#326 )	10 months ago
tools	Added new merging script and updated build scripts accordingly	1 year ago
.gitignore	PG-1095 Add format validation CI workflow and format sources (#308 )	10 months ago
CONTRIBUTING.md	PG-1191 Add CONTRIBUTING.md (#335 )	10 months ago
LICENSE	Update LICENSE (#340 )	10 months ago
Makefile.in	PG-1095 Add format validation CI workflow and format sources (#308 )	10 months ago
README.md	PG-1203 Add OSSF Scorecard (#338 )	10 months ago
SECURITY.md	Add SECURITY.md (#312 )	11 months ago
code-of-conduct.md	Add code of conduct (#313 )	11 months ago
config.guess	Add configure to make builds (#80 )	2 years ago
config.sub	Add configure to make builds (#80 )	2 years ago
configure	Post-migration renaming (#311 )	11 months ago
configure.ac	Post-migration renaming (#311 )	11 months ago
meson.build	Move pg_tde files to one dir inside PGDATA (tablespaces issues)	10 months ago
pg_tde--1.0.sql	PG-1071: Execute tde event triggers always, even on replicas	11 months ago
pg_tde.conf	Updating CI scripts after recent changes (#129 )	2 years ago
pg_tde.control	First version of a working pg_tde AM. It's just a renaming of the heap access method at this point without any addon features	2 years ago
pgindent_excludes	PG-1095 Add format validation CI workflow and format sources (#308 )	10 months ago
typedefs.list	PG-1095 Add format validation CI workflow and format sources (#308 )	10 months ago

README.md

pg_tde: Transparent Database Encryption for PostgreSQL

The PostgreSQL extension provides data at rest encryption. It is currently in an experimental phase and is under active development. We need your feedback!

Overview
Documentation
Percona Server for PostgreSQL
Build from sources
Run in docker
Setting up
Helper functions

Overview

Transparent Data Encryption offers encryption at the file level and solves the problem of protecting data at rest. The encryption is transparent for users allowing them to access and manipulate the data and not to worry about the encryption process. As a key provider, the extension supports the keyringfile and Hashicorp Vault.

This extension provides two `access methods` with different options:

`tde_heap_basic` access method

Works with community PostgreSQL 16 and 17 or with Percona Server for PosgreSQL 17
Encrypts tuples and WAL
Doesn't encrypt indexes, temporary files, statistics
CPU expensive as it decrypts pages each time they are read from bufferpool

`tde_heap` access method

Works only with Percona Server for PostgreSQL 17
Uses extended Storage Manager and WAL APIs
Encrypts tuples, WAL and indexes
Doesn't encrypt temporary files and statistics yet
Faster and cheaper than tde_heap_basic

Documentation

Full and comprehensive documentation about pg_tde is available at https://percona.github.io/pg_tde/.

Percona Server for PostgreSQL

Percona provides binary packages of pg_tde extension only for Percona Server for PostgreSQL. Learn how to install them or build pg_tde from sources for PSPG in the documentation.

Building from sources for community PostgreSQL

Install required dependencies (replace XX with 16 or 17)

On Debian and Ubuntu:

sudo apt install make gcc autoconf git libcurl4-openssl-dev postgresql-server-dev-XX

On RHEL 8 compatible OS:

sudo yum install epel-release
yum --enablerepo=powertools install git make gcc autoconf libcurl-devel perl-IPC-Run redhat-rpm-config openssl-devel postgresqlXX-devel

On MacOS:

brew install make autoconf curl gettext postresql@XX

Install or build postgresql 16 or 17
If postgres is installed in a non standard directory, set the PG_CONFIG environment variable to point to the pg_config executable
Clone the repository, build and install it with the following commands:
```
git clone https://github.com/percona/pg_tde
```

Compile and install the extension

cd pg_tde
./configure
make USE_PGXS=1
sudo make USE_PGXS=1 install

Run in Docker

There is a docker image with pg_tde based community PostgreSQL 16

docker run --name pg-tde -e POSTGRES_PASSWORD=mysecretpassword -d perconalab/pg_tde

Docker file is available here

See Make Builds for Developers for more info on the build infrastructure.

Setting up

Add extension to the shared_preload_libraries:
1. Via configuration file postgresql.conf
```
shared_preload_libraries=pg_tde 
```
2. Via SQL using ALTER SYSTEM command
```
ALTER SYSTEM SET shared_preload_libraries = 'pg_tde';
```
Start or restart the postgresql instance to apply the changes.
- On Debian and Ubuntu:
```
sudo systemctl restart postgresql.service
```
- On RHEL 8 compatible OS (replace XX with your version):
```
sudo systemctl restart postgresql-XX.service
```
CREATE EXTENSION with SQL (requires superuser or a database owner privileges):
```
CREATE EXTENSION pg_tde;
```

Create a key provider. Currently pg_tde supports File and Vault-V2 key providers. You can add the required key provider using one of the functions.

-- For Vault-V2 key provider
-- pg_tde_add_key_provider_vault_v2(provider_name, vault_token, vault_url, vault_mount_path, vault_ca_path)
SELECT pg_tde_add_key_provider_vault_v2(
    'vault-provider',
    json_object( 'type' VALUE 'remote', 'url' VALUE 'http://localhost:8888/token' ),
    json_object( 'type' VALUE 'remote', 'url' VALUE 'http://localhost:8888/url' ),
    to_json('secret'::text), NULL);

-- For File key provider
-- pg_tde_add_key_provider_file(provider_name, file_path);
SELECT pg_tde_add_key_provider_file('file','/tmp/pgkeyring');

Note: The File provided is intended for development and stores the keys unencrypted in the specified data file.

Set the principal key for the database using the pg_tde_set_principal_key function.

-- pg_tde_set_principal_key(principal_key_name, provider_name);
SELECT pg_tde_set_principal_key('my-principal-key','file');

Specify tde_heap_basic access method during table creation

CREATE TABLE albums (
    album_id INTEGER GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
    artist_id INTEGER,
    title TEXT NOT NULL,
    released DATE NOT NULL
) USING tde_heap_basic;

You can encrypt existing table. It requires rewriting the table, so for large tables, it might take a considerable amount of time.
```
ALTER TABLE table_name SET access method  tde_heap_basic;
```

Latest test release

To download the latest build of the main branch, use the HEAD release from releases.

Builds are available in a tar.gz format, containing only the required files, and as a deb package. The deb package is built against the pgdg16 release, but this dependency is not yet enforced in the package.

Helper functions

The extension provides the following helper functions:

pg_tde_is_encrypted(tablename)

Returns t if the table is encrypted (uses the tde_heap_basic access method), or f otherwise.