Configure pg_tde¶
Before you can use pg_tde for data encryption, you must enable the extension and configure PostgreSQL to load it at startup. This setup ensures that the necessary hooks and shared memory are available for encryption operations.
Note
To learn how to configure multi-tenancy, refer to the Configure multi-tenancy guidelines.
The pg_tde extension requires additional shared memory. You need to configure PostgreSQL to preload it at startup.
1. Configure shared_preload_libraries¶
You can configure the shared_preload_libraries parameter in two ways:
-
Add the following line to the
postgresql.conffile:shared_preload_libraries = 'pg_tde' -
Use the ALTER SYSTEM command. Run the following command in
psqlas a superuser:ALTER SYSTEM SET shared_preload_libraries = 'pg_tde';
2. Restart the PostgreSQL cluster¶
Restart the postgresql cluster to apply the configuration.
-
On Debian and Ubuntu:
sudo systemctl restart postgresql.service -
On RHEL and derivatives:
sudo systemctl restart postgresql-17
3. Create the extension¶
After restarting PostgreSQL, connect to psql as a superuser or database owner and run:
CREATE EXTENSION pg_tde;
See CREATE EXTENSION for more details.
Note
The pg_tde extension is created only for the current database. To enable it for other databases, you must run the command in each individual database.
4. (Optional) Enable pg_tde by default¶
To automatically have pg_tde enabled for all new databases, modify the template1 database:
psql -d template1 -c 'CREATE EXTENSION pg_tde;'
Note
It’s recommended to use an external key provider (KMS) to manage encryption keys. For configuration instructions, see Next steps.