Transparent data encryption (TDE) v1

Suggest edits

We are in the process of migrating the documentation from the previous EDB Postgres Distributed for Kubernetes name to the new EDB CloudNativePG Global Cluster name. You may see references to both names in this documentation.

Important

TDE is available only for operands that support it: EDB Postgres Advanced Server versions 15 and newer and EDB Postgres Extended versions 15 and newer.

Transparent data encryption, or TDE, is a technology used by several database vendors to encrypt data at rest, that is, database files on disk. However, TDE doesn't encrypt data in use.

TDE is included in EDB Postgres Advanced Server or EDB Postgres Extended, starting with version 15, and is supported by EDB Postgres Distributed for Kubernetes.

Important

Before you proceed, please take some time to familiarize with the TDE feature in the EPAS documentation.

With TDE activated, both WAL files and files for tables are encrypted. Data encryption/decryption is entirely transparent to the user, as it's managed by the database without requiring any application changes or updated client drivers.

The support for TDE on EDB Postgres Distributed for Kubernetes relies on the implementation from EDB Postgres for Kubernetes (PG4K). See the PG4K documentation for the full context.

You can use TDE with a passphrase stored in a Kubernetes secret, which is used to encrypt the EDB Postgres Advanced Server binary key.

EDB Postgres Advanced Server documentation

See the EDB Posgres Advanced Server documentation for details on the this encryption key.

TDE on EDB Postgres Distributed for Kubernetes relies on the PG4K implementation. Activating TDE on a cluster uses the epas section of the manifest, which is in the cnp section used for PG4K-level directives such as storage. Use the tde stanza to enable TDE, and set the name of the Kubernetes secret holding the TDE encryption key.

The following YAML portion contains both a secret holding a passphrase (base-64 encoded), and the epas section activating TDE with the passphrase.

---
apiVersion: v1
kind: Secret
metadata:
  name: tde-key
data:
  key: bG9zcG9sbGl0b3NkaWNlbnBpb3Bpb3Bpb2N1YW5kb3RpZW5lbmhhbWJyZWN1YW5kb3RpZW5lbmZyaW8=

---
apiVersion: pgd.k8s.enterprisedb.io/v1beta1
kind: PGDGroup
[…]
spec:
  instances: 3
[…]
  cnp:
    postgresql:
      epas:
        tde:
          enabled: true
          secretKeyRef:
            name: tde-key
            key: key
    storage:
      size: 1Gi

Again, see the PG4K documentation for additional depth, including how to create the encryption secret and additional ways of using TDE.

As shown in the TDE feature documentation, the information is encrypted at rest.

For example, open a psql terminal into one of your data nodes.

kubectl exec -ti <DATA-NODE> -- psql app

Create a new table including a text column:

create table foo(bar int, baz varchar);
insert into foo(bar, baz) values (1, 'hello'), (2, 'goodbye');

Verify the location where the newly defined table is stored on disk:

select pg_relation_filepath('foo');
 pg_relation_filepath 
----------------------
 base/16385/16387

You can open a terminal on the same data node:

kubectl exec -ti <DATA-NODE> -- bash

There, you can verify the file was encrypted:

cd $PGDATA/base/16385
hexdump -C 16387 | grep hello
hexdump -C 16387 | grep goodbye

← Prev

Red Hat OpenShift

↑ Up

EDB CloudNativePG Global Cluster

LDAP authentication

Transparent data encryption (TDE) v1

Important

Important

EDB Postgres Advanced Server documentation

← Prev

↑ Up

Next →