Skip to content
Percona Software for PostgreSQL Documentation

For help, click the link below to get free database assistance or contact our experts for personalized support.

Get help from Percona

pg_tde 1.0 (2025-06-30)

The pg_tde by Percona extension brings in Transparent Data Encryption (TDE) to PostgreSQL and enables you to keep sensitive data safe and secure.

Get Started

Release Highlights

  • pg_tde 1.0 is now GA (Generally Available)

And stable for encrypting relational data in PostgreSQL using Transparent Data Encryption (TDE). This milestone brings production-level data protection to PostgreSQL workloads.

  • WAL encryption is still in Beta

The WAL encryption feature is currently still in beta and is not effective unless explicitly enabled. It is not yet production ready. Do not enable this feature in production environments.

Upgrade considerations

pg_tde 1.0 is not backward compatible with previous pg_tde versions, like Release Candidate 2, due to significant changes in code. This means you cannot directly upgrade from one version to another. You must do a clean installation of pg_tde.

Known issues

  • The default mlock limit on Rocky Linux 8 for ARM64-based architectures equals the memory page size and is 64 Kb. This results in the child process with pg_tde failing to allocate another memory page because the max memory limit is reached by the parent process.

To prevent this, you can change the mlock limit to be at least twice bigger than the memory page size:

  • temporarily for the current session using the ulimit -l <value> command.
  • set a new hard limit in the /etc/security/limits.conf file. To do so, you require the superuser privileges.

Adjust the limits with caution since it affects other processes running in your system.

Changelog

New Features

  • PG-1257 – Added SQL function to remove the current principal key

Improvements

  • PG-1617 – Removed relation key cache
  • PG-1635 – User-facing TDE functions now return void
  • PG-1605 – Removed undeclared dependencies for pg_tde_grant_database_key_management_to_role()

Bugs Fixed

  • PG-1581 – Fixed PostgreSQL crashes on table access when KMIP key is unavailable after restart
  • PG-1583 – Fixed a crash when dropping the pg_tde extension with CASCADE after changing the key provider file
  • PG-1585 – Fixed the vault provider re-addition that failed after server restart with a new token
  • PG-1592 – Improve error logs when Server Key Info is requested without being created
  • PG-1593 – Fixed runtime failures when invalid Vault tokens are allowed during key provider creation
  • PG-1600 – Fixed Postmaster error when dropping a table with an unavailable key provider
  • PG-1606 – Fixed missing superuser check in role grant function leads to misleading errors
  • PG-1607 – Improved CA parameter order and surrounding documentation for clearer interpretation
  • PG-1608 – Updated and fixed global key configuration parameters in documentation
  • PG-1613 – Tested and improved the pg_tde_change_key_provider CLI utility
  • PG-1637 – Fixed unused keys in key files which caused issues after OID wraparound
  • PG-1651 – Fixed the CLI tool when working with Vault key export/import
  • PG-1652 – Fixed when the server fails to find encryption keys after CLI-based provider change
  • PG-1662 – Fixed the creation of inconsistent encryption status when altering partitioned tables
  • PG-1663 – Fixed the indexes on partitioned tables which were not encrypted
  • PG-1700 – Fixed the error hint when the principal key is missing