CYBERTEC PostgreSQL Logo

PostgreSQL Transparent Data Encryption

Transparent Data Encryption (TDE) is a CYBERTEC encryption patch for PostgreSQL and a part of PGEE.

It is currently the only implementation that supports transparent and cryptographically safe data (cluster) level encryption,  independent of operating system or file system encryption.

How does Transparent Data Encryption work?

The idea behind the patch is to store all the files which make up a PostgreSQL cluster securely on disk in an encrypted format (data-at-rest encryption). It then decrypts blocks as they are read from disk. However, the data remains unencrypted in memory. This only requires that the database is initialized with encryption and that the key used for initializing the database is accessible to the server during startup. A special configuration parameter provides the encryption key by specifying a custom key setup command for implementing special security requirements.

The following characteristics should be considered by anyone interested in enabling this feature:

  1. The encryption is transparent from the application’s point of view.
  2. It uses a single key to encrypt the whole cluster.
Basic architecture TDE PostgreSQL encryption

Details

Since the data is stored on a disk, we naturally base our approach on “Disk Encryption Theory”. For each type of file, we use the AES cipher in the appropriate mode of operation. The AES cipher itself encrypts/decrypts individual blocks (encryption blocks) in the most efficient way possible. Your data will be safe on disk.

Performance impact

Fortunately, Intel and AMD offer superior hardware support for AES encryption. This ensures that PostgreSQL TDE has a minimal performance impact. We have seen systems encrypting and decrypting gigabytes of data per second on modern servers. Given a typical workload, the impact of TDE on performance is essentially negligible.

Encrypting your entire database ecosystem

Security is not an isolated issue. To really secure a system, many layers must be considered and you must ensure that all components are covered. PostgreSQL TDE is therefore the ideal solution for your infrastructure.

PostgreSQL TDE not only provides data-at-rest encryption, but also ensures encryption of the entire ecosystem including …

  • Transport encryption (client / server) via SSL
  • Encrypted replication
  • Fully secured replicas

Linux integration

PostgreSQL TDE integrates perfectly into SELinux and provides a solid foundation for your entire infrastructure. In addition, it includes all functions of standard PostgreSQL.

WAL-STREAMING - TDE

Transparent Data Encryption License

PostgreSQL TDE performance

Check out the performance analysis that compares PostgreSQL v13 with PostgreSQL Transparent Data Encryption: PostgreSQL Performance: encrypted vs. unencryped

FAQ

Q: What does TDE actually encrypt?

A: Everything except pg_stat_statements extension data and transaction metadata.

Q: What is the encryption method?

A: Industry standard 128-bit AES-CTR cipher.

Q: Can I use another encryption method?

A: No, but we can build support for it.

Q: What performance penalty should I expect?

A: Hardware instructions accelerate encryption where available. TDE only applies encryption on I/O. Typical encryption and decryption speeds are 5GB/s per CPU core on modern hardware, higher than the I/O speed of the best available SSD devices. On normal workloads the overhead from encryption is not measurable.

Q: Can I upgrade to an encrypted database?

A: We don’t currently support in-place encryption of existing clusters. You will need to perform a dump and reload to an encrypted instance, or use logical replication to perform the migration online.

Q: Is it possible to encrypt only certain tables / tablespaces to win on performance?

A: Currently no. Since the transaction log needs to be fully encrypted in any case, and all changes normally go through there, it probably would not be a silver bullet to change that in the future.

Q: Is it possible to change the encryption key for cases when the encryption key gets compromised?

A: Currently, you should re-initialize a new cluster and dump / restore. However, you can use the key setup command to implement an encrypted key store and passphrase rotation for the master key.

Q: Does it integrate with my HSM?

A: No, but if needed we can build support for it.

Q: I found a bug. Where should I report that bug to?

A: Please directly report any bugs or problems with TDE to bugs-tde@cybertec.at.

CYBERTEC Logo white
Get the newest PostgreSQL Info & Tools


    This site is protected by reCAPTCHA and the Google Privacy Policy & Terms of Service apply.

    ©
    2024
    CYBERTEC PostgreSQL International GmbH
    phone-handsetmagnifiercrosscross-circle
    linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram