open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
60701 Commits
38 Branches
662 Tags
731 MiB
 
 
 
 
 
 
Tag: Branch: Tree: d0b53f35fb
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd0b53f35fb'
${ noResults }
postgres/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md

61 lines
5.1 KiB
Raw Blame History

# pg_tde 1.0 ({{date.GA10}})
The `pg_tde` by Percona extension brings in [Transparent Data Encryption (TDE) :octicons-link-external-16:](../index/about-tde.md) to PostgreSQL and enables you to keep sensitive data safe and secure.
[Get Started](../install.md){.md-button}
## Release Highlights
* **`pg_tde` 1.0 is now GA (Generally Available)**
And **stable** for encrypting relational data in PostgreSQL using [Transparent Data Encryption (TDE) :octicons-link-external-16:](../index/about-tde.md). This milestone brings production-level data protection to PostgreSQL workloads.
* **WAL encryption is still in Beta**
The WAL encryption feature is currently still in beta and is not effective unless explicitly enabled. **It is not yet production ready.** Do **not** enable this feature in production environments.
## Upgrade considerations
`pg_tde` 1.0 is **not** backward compatible with previous `pg_tde` versions, like Release Candidate 2, due to significant changes in code. This means you **cannot** directly upgrade from one version to another. You must do **a clean installation** of `pg_tde`.
## Known issues
* The default `mlock` limit on Rocky Linux 8 for ARM64-based architectures equals the memory page size and is 64 Kb. This results in the child process with `pg_tde` failing to allocate another memory page because the max memory limit is reached by the parent process.
To prevent this, you can change the `mlock` limit to be at least twice bigger than the memory page size:
* temporarily for the current session using the `ulimit -l <value>` command.
* set a new hard limit in the `/etc/security/limits.conf` file. To do so, you require the superuser privileges.
Adjust the limits with caution since it affects other processes running in your system.
## Changelog
### New Features
- [PG-1257 :octicons-link-external-16:](https://perconadev.atlassian.net/browse/PG-1257) – Added SQL function to remove the current principal key
### Improvements
- [PG-1617 :octicons-link-external-16:](https://perconadev.atlassian.net/browse/PG-1617) – Removed relation key cache
- [PG-1635 :octicons-link-external-16:](https://perconadev.atlassian.net/browse/PG-1635) – User-facing TDE functions now return void
- [PG-1605 :octicons-link-external-16:](https://perconadev.atlassian.net/browse/PG-1605) – Removed undeclared dependencies for `pg_tde_grant_database_key_management_to_role()`
### Bugs Fixed
- [PG-1581 :octicons-link-external-16:](https://perconadev.atlassian.net/browse/PG-1581) – Fixed PostgreSQL crashes on table access when KMIP key is unavailable after restart
- [PG-1583 :octicons-link-external-16:](https://perconadev.atlassian.net/browse/PG-1583) – Fixed a crash when dropping the `pg_tde` extension with CASCADE after changing the key provider file
- [PG-1585 :octicons-link-external-16:](https://perconadev.atlassian.net/browse/PG-1585) – Fixed the vault provider re-addition that failed after server restart with a new token
- [PG-1592 :octicons-link-external-16:](https://perconadev.atlassian.net/browse/PG-1592) – Improve error logs when Server Key Info is requested without being created
- [PG-1593 :octicons-link-external-16:](https://perconadev.atlassian.net/browse/PG-1593) – Fixed runtime failures when invalid Vault tokens are allowed during key provider creation
- [PG-1600 :octicons-link-external-16:](https://perconadev.atlassian.net/browse/PG-1600) – Fixed Postmaster error when dropping a table with an unavailable key provider
- [PG-1606 :octicons-link-external-16:](https://perconadev.atlassian.net/browse/PG-1606) – Fixed missing superuser check in role grant function leads to misleading errors
- [PG-1607 :octicons-link-external-16:](https://perconadev.atlassian.net/browse/PG-1607) – Improved CA parameter order and surrounding documentation for clearer interpretation
- [PG-1608 :octicons-link-external-16:](https://perconadev.atlassian.net/browse/PG-1608) – Updated and fixed global key configuration parameters in documentation
- [PG-1613 :octicons-link-external-16:](https://perconadev.atlassian.net/browse/PG-1613) – Tested and improved the `pg_tde_change_key_provider` CLI utility
- [PG-1637 :octicons-link-external-16:](https://perconadev.atlassian.net/browse/PG-1637) – Fixed unused keys in key files which caused issues after OID wraparound
- [PG-1651 :octicons-link-external-16:](https://perconadev.atlassian.net/browse/PG-1651) – Fixed the CLI tool when working with Vault key export/import
- [PG-1652 :octicons-link-external-16:](https://perconadev.atlassian.net/browse/PG-1652) – Fixed when the server fails to find encryption keys after CLI-based provider change
- [PG-1662 :octicons-link-external-16:](https://perconadev.atlassian.net/browse/PG-1662) – Fixed the creation of inconsistent encryption status when altering partitioned tables
- [PG-1663 :octicons-link-external-16:](https://perconadev.atlassian.net/browse/PG-1663) – Fixed the indexes on partitioned tables which were not encrypted
- [PG-1700 :octicons-link-external-16:](https://perconadev.atlassian.net/browse/PG-1700) – Fixed the error hint when the principal key is missing