percona · nastena1606 · Mar 26, 2025 · Mar 4, 2025 · Mar 4, 2025 · Mar 5, 2025
@@ -4,7 +4,7 @@
 {% extends "base.html" %}
 
 {% block announce %}
-  This is a Beta2 version of Percona Transparent Encryption extension and it is 
+  This is a Release Candidate of Percona Transparent Data Encryption extension and it is 
   <strong>not recommended for production environments</strong> yet. We encourage you to test it and <a href= "https://forums.percona.com/c/postgresql/pg-tde-transparent-data-encryption-tde/82">give your feedback</a>.
   This will help us improve the product and make it production-ready faster.
 {% endblock %}

@@ -75,14 +75,18 @@ You can use the following KMSs:
 
 HashiCorp Vault can also act as the KMIP server, managing cryptographic keys for clients that use the KMIP protocol. 
 
-Here’s how encryption of data files works:
+Let's break the encryption into two parts:
+
+### Encryption of data files 
 
 First, data files are encrypted with internal keys. Each file that has a different OID, has an internal key. For example, a table with 4 indexes will have 5 internal keys - one for the table and one for each index.	
 
 The initial decision on what file to encrypt is based on the table access method in PostgreSQL. When you run a `CREATE` or `ALTER TABLE` statement with the `USING tde_heap` clause, the newly created data files are marked as encrypted, and then file operations encrypt/decrypt the data. Later, if an initial file is re-created as a result of a `TRUNCATE` or `VACUUM FULL` command, the newly created file inherits the encryption information and is either encrypted or not. 
 
 The principal key is used to encrypt the internal keys. The principal key is stored in the key management store. When you query the table, the principal key is retrieved from the key store to decrypt the table. Then the internal key for that table is used to decrypt the data.
 
+### WAL encryption
+
 WAL encryption is done globally for the entire database cluster. All modifications to any database within a PostgreSQL cluster are written to the same WAL to maintain data consistency and integrity and ensure that PostgreSQL cluster can be restored to a consistent state. Therefore, WAL is encrypted globally. 
 
 When you turn on WAL encryption, `pg_tde` encrypts entire WAL files starting from the first WAL write after the server was started with the encryption turned on.
@@ -98,9 +102,9 @@ Whenever the WAL is being read (by the recovery process or tools), the decision
 
 It depends on your business requirements and the sensitivity of your data. Encrypting all data is a good practice but it can have a performance impact. 
 
-Consider encrypting only tables that store sensitive data. You can decide what tables to encrypt and with what key. The [Setup](setup.md) section in documentation focuses on this approach.
+Consider encrypting only tables that store sensitive data. You can decide what tables to encrypt and with what key. The [Set up multi-tenancy](multi-tenant-setup.md) section in the documentation focuses on this approach.
 
-We advise encrypting the whole database only if all your data is sensitive, like PII, or if there is no other way to comply with data safety requirements. See [How to configure global encryption](global-encryption.md).
+We advise encrypting the whole database only if all your data is sensitive, like PII, or if there is no other way to comply with data safety requirements.
 
 ## What cipher mechanisms are used by `pg_tde`?
 

@@ -27,9 +27,9 @@ Learn more [what is Transparent Data Encryption](tde.md#how-does-it-work) and [w
 * System tables are currently not encrypted. This means that statistics data and database metadata are currently not encrypted.
 
 * `pg_rewind` doesn't work with encrypted WAL for now. We plan to fix it in future releases.
+* `pb_tde` Release candidate is incompatible with `pg_tde`Beta2 due to significant changes in code. There is no direct upgrade flow from one version to another. You must [uninstall](uninstall.md) `pg_tde` Beta2 first and then [install](install.md) and configure the new Release Candidate version.
 
 
-<i warning>:material-alert: Warning:</i> Note that introducing encryption/decryption affects performance. Our benchmark tests show less than 10% performance overhead for most situations. However, in some specific applications such as those using JSONB operations, performance degradation might be higher.
 
 ## Versions and supported PostgreSQL deployments
 

@@ -0,0 +1,44 @@
+# pg_tde Alpha 1 (2024-03-28)
+
+`pg_tde` extension brings in [Transparent Data Encryption (TDE)](tde.md) to PostgreSQL and enables you to keep sensitive data safe and secure.
+
+[Get started](../install.md){.md-button}
+
+
+!!! important
+
+    This version of Percona Transparent Data Encryption extension **is 
+    not recommended for production environments yet**. We encourage you to test it and [give your feedback](https://forums.percona.com/c/postgresql/pg-tde-transparent-data-encryption-tde/82).
+
+    This will help us improve the product and make it production-ready faster.
+
+
+## Release Highlights
+
+The Alpha1 version of the extension introduces the following key features:
+
+* You can now rotate principal keys used for data encryption. This reduces the risk of long-term exposure to potential attacks and helps you comply with security standards such as GDPR, HIPAA, and PCI DSS.
+
+* You can now configure encryption differently for each database. For example, encrypt specific tables in some databases with different encryption keys while keeping others non-encrypted.
+
+* Keyring configuration has undergone several improvements, namely:
+
+    * You can define separate keyring configuration for each database
+    * You can change keyring configuration dynamically, without having to restart the server
+    * The keyring configuration is now stored in a catalog separately for each database, instead of a configuration file
+    * Avoid storing secrets in the unencrypted catalog by configuring keyring parameters to be read from external sources (file, http(s) request)
+
+## Improvements 
+
+* Renamed the repository and Docker image from `postgres-tde-ext` to `pg_tde`. The extension name remains unchanged
+* Changed the Initialization Vector (IV) calculation of both the data and internal keys
+
+## Bugs fixed
+
+* Fixed toast related crashes
+* Fixed a crash with the DELETE statement 
+* Fixed performance-related issues
+* Fixed a bug where `pg_tde` sent many 404 requests to the Vault server
+* Fixed сompatibility issues with old OpenSSL versions
+* Fixed сompatibility with old Curl versions 
+
@@ -0,0 +1,25 @@
+# pg_tde Beta (2024-06-30)
+
+`pg_tde` extension brings in [Transparent Data Encryption (TDE)](tde.md) to PostgreSQL and enables you to keep sensitive data safe and secure.
+
+[Get started](../install.md){.md-button}
+
+!!! important
+
+    This version of Percona Transparent Data Encryption extension **is 
+    not recommended for production environments yet**. We encourage you to test it and [give your feedback](https://forums.percona.com/c/postgresql/pg-tde-transparent-data-encryption-tde/82).
+
+    This will help us improve the product and make it production-ready faster.
+
+## Release Highlights
+
+Starting with `pg_tde` Beta, the access method for `pg_tde` extension is renamed `tde_heap_basic`. Use this access method name to create tables. Find guidelines in [Test TDE](../test.md) tutorial.
+
+## Changelog
+
+* Fixed the issue with `pg_tde` running out of memory used for decrypted tuples. The fix introduces the new component `TDEBufferHeapTupleTableSlot` that keeps track of the allocated memory for decrypted tuples and frees this memory when the tuple slot is no longer needed.
+
+* Fixed the issue with adjusting a current position in a file by using raw file descriptor for the `lseek` function. (Thanks to user _rainhard_ for providing the fix)
+
+* Enhanced the init script to consider a custom superuser for the POSTGRES_USER parameter when `pg_tde` is running via Docker (Thanks to _Alejandro Paredero_ for reporting the issue)
+
@@ -0,0 +1,58 @@
+# pg_tde Beta 2 (2024-12-16)
+
+`pg_tde` extension brings in [Transparent Data Encryption (TDE)](tde.md) to PostgreSQL and enables you to keep sensitive data safe and secure.
+
+[Get started](../install.md){.md-button}
+
+
+!!! important
+
+    This version of Percona Transparent Data Encryption extension **is 
+    not recommended for production environments yet**. We encourage you to test it and [give your feedback](https://forums.percona.com/c/postgresql/pg-tde-transparent-data-encryption-tde/82).
+
+    This will help us improve the product and make it production-ready faster.
+
+## Release Highlights
+
+With this release, `pg_tde` extension offers two database specific versions:
+
+*  PostgreSQL Community version provides only the `tde_heap_basic` access method using which you can introduce table encryption and WAL encryption for data in the encrypted tables. Index data remains unencrypted.
+* Version for Percona Server for PostgreSQL provides the `tde_heap`access method. using this method you can encrypt index data in encrypted tables thus increasing the safety of your sensitive data. For backward compatibility, the `tde_heap_basic` method is available in this version too. 
+
+## Changelog
+
+The Beta 2 version introduces the following features and improvements:
+
+### New Features
+
+* Added the `tde_heap` access method with which you can now enable index encryption for encrypted tables and global WAL data encryption. To use this access method, you must install Percona Server for PostgreSQL. Check the [installation guide](../install.md)
+* Added event triggers to identify index creation operations on encrypted tables and store those in a custom storage. 
+* Added support for secure transfer of keys using the [OASIS Key Management Interoperability Protocol (KMIP)](https://docs.oasis-open.org/kmip/kmip-spec/v2.0/os/kmip-spec-v2.0-os.html). The KMIP implementation was tested with the PyKMIP server and the HashiCorp Vault Enterprise KMIP Secrets Engine. 
+
+### Improvements
+
+* WAL encryption improvements:
+
+   * Added a global key to encrypt WAL data in global space
+   * Added WAL key management
+
+* Keyring improvements:
+
+    * Renamed functions to point their usage for principal key management
+    * Improved keyring provider management across databases and the global space.
+    * Keyring configuration now uses common JSON API. This simplifies code handling and enables frontend tools like `pg_waldump` to read the code thus improving debugging.
+
+* The `pg_tde_is_encrypted` function now supports custom schemas in the format of `pg_tde_is_encrypted('schema.table');`
+* Changed the location of internal TDE files: instead of the database directory, now all files are stored in ` $PGDATA/pg_tde`
+* Improved error reporting when `pg_tde` is not added to the `shared_preload_libraries`
+* Improved memory usage of `tde_heap_basic `during sequential reads
+* Improved `tde_heap_basic` for select statements
+* Added encryption support for (some) command line utilities
+
+### Bugs fixed
+
+* Fixed multiple bugs with `tde_heap_basic` and TOAST records
+* Fixed various memory leaks
+
+
+
@@ -0,0 +1,8 @@
+# pg_tde MVP (2023-12-12)
+
+The Minimum Viable Product (MVP) version of `pg_tde` introduces the following functionality:
+
+* Encryption of heap tables, including TOAST
+* Encryption keys are stored either in Hashicorp Vault server or in local keyring file (for development) 
+* The key storage is configurable via separate JSON configuration files
+* Replication support