pg_tde by Percona 101
From licensing to performance, everything you need to know about Percona’s Transparent Data Encryption extension for PostgreSQL.
Is pg_tde by Percona open source?
Yes. Unlike many proprietary PostgreSQL vendors, all Percona software (pg_tde implementation included) is completely open source.
How is pg_tde by Percona licensed?
pg_tde is a fully open source extension. There is no per-database or per-CPU core license fee associated with it.
Can I use pg_tde by Percona with my current PostgreSQL database?
Not directly. You need to use Percona Server for PostgreSQL to access pg_tde by Percona. However, Percona Server for PostgreSQL is a drop-in replacement for PostgreSQL Community, so migration is smooth for most workloads.
Is pg_tde by Percona part of Percona Server for PostgreSQL or Percona Distribution for PostgreSQL?
Both. pg_tde by Percona is an extension to Percona Server for PostgreSQL. Percona Server for PostgreSQL, pg_tde by Percona, and many other extensions are compiled into Percona Distribution for PostgreSQL. Percona Distribution for PostgreSQL contains the best and most critical enterprise components from the open source community, in a single package, designed and tested to work together.
Can I use pg_tde by Percona for storage-level encryption?
TDE stands for Transparent Data Encryption. It encrypts data in the database layer, providing an additional layer of security beyond disk or OS-level encryption. This type of encryption can be used together with storage encryption for added level of security.
Does pg_tde by Percona support encryption at the column level within PostgreSQL tables?
No, pg_tde has a different purpose and does not support column-level encryption. It offers transparent table-level encryption, meaning entire tables (including table data, indexes, TOAST tables, and temporary tables) are encrypted. Keep in mind that system catalogs and metadata remain unencrypted.
Why use Transparent Data Encryption instead of OS-level or disk encryption?
OS or disk encryption (like LUKS or BitLocker) only protects data on the storage layer. If someone copies the database files to a non-encrypted device, the data is no longer encrypted. TDE encrypts the data at the database level, adding another layer of security. TDE is particularly important for companies that need to meet strict compliance standards like PCI DSS.
What are the key storage options for pg_tde by Percona?
We recommend and support Key Management Systems (KMS). Currently, pg_tde by Percona is tested and supported to work with the following KMS solutions: Hashicorp Vault, Thales CTM, Fortanix KMS, and OpenBao.
Does pg_tde by Percona store keys in flat files?
No. pg_tde does not store keys in flat files by default. The only exception is when users deliberately choose to test it with local key files, which is not recommended for production.
Is Patroni clustering supported with pg_tde by Percona?
Yes. pg_tde by Percona works with Patroni, as long as the entire setup uses the Percona Distribution for PostgreSQL. Please be aware that WAL (write ahead log) encryption is not GA yet (planned date is August 2025) and may introduce limitations with certain features like incremental backups.
What is the impact of the pg_tde by Percona on database performance?
pg_tde by Percona allows granular encryption, per table or per database, so users have more control and flexibility than with cluster-wide encryption (which is what EDB, Crunchy Data ,and most other PostgreSQL vendors offer). Because pg_tde is applied selectively, it maintains a low performance overhead and doesn’t slow down your database. You can read more about performance tests here.
How can organizations audit and verify that pg_tde by Percona is functioning correctly, especially in large deployments?
Auditing pg_tde by Percona deployments involves several key steps:
- Validate that encrypted tables using the pg_tde access method and through a relevant helper function.
- Track internal key generation and usage through logs and key directories.
- Use CLI tools like pg_tde_change_key_provider to validate key rotations.
- Integrate PostgreSQL logs with external SIEM systems to track encryption-related activity.
- Confirm that backups remain encrypted and access to key files is secured.
Why does Percona use an extension for TDE, not a patched core server, like others?
Percona is committed to open source principles, and we innovate PostgreSQL via extensions to ensure more flexibility. We avoid creating a proprietary fork, do not impact users who do not need TDE, and allow encrypting only what’s needed, which is more efficient and future-proof.
How does pg_tde by Percona compare to pgcrypto?
They serve different purposes: pgcrypto is used for application-level encryption (manual, per-column). Use pgcrypto for application-specific needs. pg_tde by Percona is designed for transparent data encryption at the storage level, and should be used for compliance and infrastructure-level protection.
