open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
60701 Commits
38 Branches
662 Tags
731 MiB
 
 
 
 
 
 
Tag: Branch: Tree: d0b53f35fb
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd0b53f35fb'
${ noResults }
postgres/contrib/pg_tde/documentation/docs/release-notes/release-notes-v2.0.md

7.1 KiB
Raw Blame History

pg_tde 2.0 ({{date.GA20}})

The pg_tde by Percona extension brings Transparent Data Encryption (TDE) to PostgreSQL and enables you to keep sensitive data safe and secure.

Get Started{.md-button}

Release Highlights

WAL encryption is now generally available

The WAL (Write-Ahead Logging) encryption feature is now fully supported and production-ready, it adds secure write-ahead logging to pg_tde, expanding Percona's PostgreSQL encryption coverage by enabling secure, transparent encryption of write-ahead logs using the same key infrastructure as data encryption.

WAL encryption upgrade limitation

Clusters that used WAL encryption in the beta release (pg_tde 1.0 or older) cannot be upgraded to pg_tde 2.0. The following error indicates that WAL encryption was enabled:

FATAL: principal key not configured
HINT: Use pg_tde_set_server_key_using_global_key_provider() to configure one.

Clusters that did not use WAL encryption in beta can be upgraded normally.

Documentation updates

Known issues

  • Creating, changing, or rotating global key providers (or their keys) while pg_basebackup is running may cause standbys or standalone clusters initialized from the backup to fail during WAL replay and may also lead to the corruption of encrypted data (tables, indexes, and other relations).

    Avoid making these actions during backup windows. Run a new full backup after completing a rotation or provider update.

  • Using pg_basebackup with --wal-method=fetch produces warnings.

    This behavior is expected and will be addressed in a future release.

  • The default mlock limit on Rocky Linux 8 for ARM64-based architectures equals the memory page size and is 64 Kb. This results in the child process with pg_tde failing to allocate another memory page because the max memory limit is reached by the parent process.

    To prevent this, you can change the mlock limit to be at least twice bigger than the memory page size:

    • temporarily for the current session using the ulimit -l <value> command.
    • set a new hard limit in the /etc/security/limits.conf file. To do so, you require the superuser privileges.

    Adjust the limits with caution since it affects other processes running in your system.

Changelog

New Features

Improvements

Bugs Fixed