Skip to content
Percona Software for PostgreSQL Documentation

For help, click the link below to get free database assistance or contact our experts for personalized support.

Get help from Percona

TDE compatibility with tools and extensions

Transparent Data Encryption (TDE) protects PostgreSQL data files and Write-Ahead Logs (WAL) by encrypting them at rest.

This page describes how TDE interacts with each component included in the Percona Distribution for PostgreSQL.

Compatibility summary

Component Affected by TDE Notes
etcd ❌ No Stores configuration data, not PostgreSQL data.
HAProxy ❌ No Operates at network level; unaffected by TDE.
Patroni ⚙️ Partial Cluster replication requires consistent keys.
pgAudit ❌ No Logs SQL activity; no interaction with encrypted files.
pgAudit set_user ❌ No Session role tracking unaffected by encryption.
pgBackRest ✅ Yes Backs up encrypted data and WAL; requires key for restore.
pgBadger ❌ No Processes plaintext PostgreSQL logs; not impacted.
pgBouncer ❌ No Connection pooling; no access to storage layer.
pg_gather ❌ No Collects performance stats; queries decrypted data in memory.
pgpool2 ❌ No Middleware routing connections; not affected by TDE.
pg_repack ✅ Yes Rewrites data files; requires access to decrypted in-memory data.
pg_stat_monitor ❌ No Operates at query-level statistics; no WAL interaction.
pgvector ❌ No Works on in-memory and SQL-level data; encryption transparent.
PostGIS ❌ No Spatial extensions operate on decrypted in-memory data.
wal2json ⚠️ Limited Logical decoding may fail on encrypted WAL.
PostgreSQL Commons and Contrib Modules ❌ No Core modules function normally with TDE enabled.

etcd

etcd is a distributed key-value store used by Patroni to maintain cluster state.
It does not store PostgreSQL data or WAL files.

  • TDE does not impact etcd functionality.
  • No special configuration is required.

HAProxy

HAProxy provides load balancing and connection routing.
Since it operates over TCP connections, not on data files:

  • TDE does not affect its behavior.
  • No configuration changes are needed.

Patroni

Patroni manages PostgreSQL high availability and replication.
It is not directly impacted by TDE, but the following considerations apply:

  • Each cluster node must share the same TDE key provider and key ID.
  • A key mismatch will prevent replicas from starting or replaying WAL.

pgAudit

pgAudit logs SQL statements for auditing purposes.

  • TDE does not affect audit logging because SQL is captured before disk encryption.
  • Logs are written as plaintext files.

pgAudit set_user

pgAudit set_user provides controlled user switching.
It operates at the session level and is not affected by encryption of data files.

  • No TDE-specific configuration is required.

pgBackRest

pgBackRest performs physical backups and restores of PostgreSQL clusters.
It fully supports encrypted databases.

  • Backups include encrypted data and WAL segments.
  • Restores require the original TDE encryption key or Vault access.

Warning

Restoring without the correct key makes the backup unusable.

Tip

Use a global key provider .

pgBadger

pgBadger analyzes PostgreSQL logs for activity and performance.

  • Logs are not encrypted by TDE.
  • No configuration or compatibility issues.

pgBouncer

pgBouncer handles connection pooling at the network layer.
It has no interaction with encrypted data or WAL files.

  • TDE does not affect pgBouncer.
  • No configuration changes are needed.

pg_gather

pg_gather collects system and query statistics from running databases.

  • TDE is transparent; no configuration required.

pgpool2

pgpool2 manages load balancing and connection routing for PostgreSQL.

  • Works on SQL sessions, not files.
  • TDE encryption at rest has no impact.

pg_repack

pg_repack rebuilds database objects to reclaim space or optimize performance.

  • Works with decrypted data in memory.
  • Can safely be used with TDE-enabled clusters.

pg_stat_monitor

pg_stat_monitor collects detailed query statistics.

  • Operates entirely at the SQL and memory level.
  • TDE does not affect functionality.

pgvector

pgvector stores and searches vector embeddings.

  • Operates at the SQL layer, reading decrypted in-memory data.
  • TDE does not change its functionality.

PostGIS

PostGIS adds spatial data types and functions.

  • Operates on decrypted data loaded into memory.
  • TDE does not change its functionality.

wal2json

wal2json converts WAL records into JSON for logical replication.

With TDE enabled:

  • WAL files are encrypted on disk.
  • Logical decoding may fail because it cannot access decrypted WAL.

Warning

wal2json is not compatible with encrypted WAL. Consider using logical replication with TDE disabled, or alternative decoding plugins.

PostgreSQL Commons and Contrib Modules

Common and contrib modules (such as pg_stat_statements, pg_trgm, and hstore)
operate at the SQL and memory level.

  • TDE does not change their functionality.
  • No additional configuration is required.

See also