Configure pg_tde¶
Before you can use pg_tde
for data encryption, you must enable the extension and configure PostgreSQL to load it at startup. This setup ensures that the necessary hooks and shared memory are available for encryption operations.
Note
To learn how to configure multi-tenancy, refer to the Configure multi-tenancy guidelines.
The pg_tde
extension requires additional shared memory. You need to configure PostgreSQL to prelaod it at startup.
1. Configure shared_preload_libraries¶
You can configure the shared_preload_libraries
parameter in two ways:
-
Add the following line to the
shared_preload_libraries
file:shared_preload_libraries = 'pg_tde'
-
Use the ALTER SYSTEM command. Run the following command in
psql
as a superuser:ALTER SYSTEM SET shared_preload_libraries = 'pg_tde';
2. Restart the PostgreSQL cluster¶
Restart the postgresql
cluster to apply the configuration.
-
On Debian and Ubuntu:
sudo systemctl restart postgresql.service
-
On RHEL and derivatives:
sudo systemctl restart postgresql-17
3. Create the extension¶
After restarting PostgreSQL, connect to psql
as a superuser or database owner and run:
CREATE EXTENSION pg_tde;
See CREATE EXTENSION for more details.
Note
The pg_tde
extension is created only for the current database. To enable it for other databases, you must run the command in each individual database.
4. (Optional) Enable pg_tde by default¶
To automatically have pg_tde
enabled for all new databases, modify the template1
database:
psql -d template1 -c 'CREATE EXTENSION pg_tde;'
Note
You can use external key providers to manage encryption keys. The recommended approach is to use the Key Management Store (KMS). See the next step on how to configure the KMS.