open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
191 Commits
38 Branches
662 Tags
733 MiB
 
 
 
 
 
 
Tag: Branch: Tree: fef148355a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'fef148355a'
${ noResults }
postgres/documentation/docs/release-notes/release-notes.md

2.8 KiB
Raw Blame History

pg_tde release notes

pg_tde extension brings in Transparent Data Encryption (TDE) to PostgreSQL and enables you to keep sensitive data safe and secure.

Get started{.md-button}

Beta (2024-06-30)

The Beta version introduces the following bug fixes and improvements:

  • Fixed the issue with pg_tde running out of memory used for decrypted tuples. The fix introduces the new component TDEBufferHeapTupleTableSlot that keeps track of the allocated memory for decrypted tuples and frees this memory when the tuple slot is no longer needed.

  • Fixed the issue with adjusting a current position in a file by using raw file descriptor for the lseek function. (Thanks to user rainhard for providing the fix)

  • Enhanced the init script to consider a custom superuser for the POSTGRES_USER parameter when pg_tde is running via Docker (Thanks to Alejandro Paredero for reporting the issue)

Alpha 1 (2024-03-28)

Release Highlights

The Alpha1 version of the extension introduces the following key features:

  • You can now rotate principal keys used for data encryption. This reduces the risk of long-term exposure to potential attacks and helps you comply with security standards such as GDPR, HIPAA, and PCI DSS.

  • You can now configure encryption differently for each database. For example, encrypt specific tables in some databases with different encryption keys while keeping others non-encrypted.

  • Keyring configuration has undergone several improvements, namely:

    • You can define separate keyring configuration for each database
    • You can change keyring configuration dynamically, without having to restart the server
    • The keyring configuration is now stored in a catalog separately for each database, instead of a configuration file
    • Avoid storing secrets in the unencrypted catalog by configuring keyring parameters to be read from external sources (file, http(s) request)

Improvements

  • Renamed the repository and Docker image from postgres-tde-ext to pg_tde. The extension name remains unchanged
  • Changed the Initialization Vector (IV) calculation of both the data and internal keys

Bugs fixed

  • Fixed toast related crashes
  • Fixed a crash with the DELETE statement
  • Fixed performance-related issues
  • Fixed a bug where pg_tde sent many 404 requests to the Vault server
  • Fixed сompatibility issues with old OpenSSL versions
  • Fixed сompatibility with old Curl versions

MVP (2023-12-12)

The Minimum Viable Product (MVP) version introduces the following functionality:

  • Encryption of heap tables, including TOAST
  • Encryption keys are stored either in Hashicorp Vault server or in local keyring file (for development)
  • The key storage is configurable via separate JSON configuration files
  • Replication support