Skip to content
Percona Software for PostgreSQL Documentation

For help, click the link below to get free database assistance or contact our experts for personalized support.

Get help from Percona

Configure pg_tde

Before you can use pg_tde for data encryption, you must enable the extension and configure PostgreSQL to load it at startup. This setup ensures that the necessary hooks and shared memory are available for encryption operations.

Note

To learn how to configure multi-tenancy, refer to the Configure multi-tenancy guidelines.

The pg_tde extension requires additional shared memory. You need to configure PostgreSQL to prelaod it at startup.

1. Configure shared_preload_libraries

You can configure the shared_preload_libraries parameter in two ways:

  • Add the following line to the shared_preload_libraries file:

    shared_preload_libraries = 'pg_tde'

  • Use the ALTER SYSTEM command. Run the following command in psql as a superuser:

    ALTER SYSTEM SET shared_preload_libraries = 'pg_tde';

2. Restart the PostgreSQL cluster

Restart the postgresql cluster to apply the configuration.

  • On Debian and Ubuntu:

    sudo systemctl restart postgresql.service

  • On RHEL and derivatives:

    sudo systemctl restart postgresql-17

3. Create the extension

After restarting PostgreSQL, connect to psql as a superuser or database owner and run:

    CREATE EXTENSION pg_tde;

See CREATE EXTENSION for more details.

Note

The pg_tde extension is created only for the current database. To enable it for other databases, you must run the command in each individual database.

4. (Optional) Enable pg_tde by default

To automatically have pg_tde enabled for all new databases, modify the template1 database:

    psql -d template1 -c 'CREATE EXTENSION pg_tde;'

Note

You can use external key providers to manage encryption keys. The recommended approach is to use the Key Management Store (KMS). See the next step on how to configure the KMS.

Next steps

Configure Key Management (KMS)