Transparent Data Encryption - TDE v1

Transparent Data Encryption, or TDE, is a technology used by several database vendors to encrypt data at rest, i.e. database files on disk. TDE does not however encrypt data in use.

Starting with version 15, EDB Postgres Advanced Server (EPAS) is offering TDE.

The EDB Postgres for Kubernetes operator includes support for TDE, for any operand versions that offer TDE (EPAS version 15 and newer).

Activating TDE on the operator is simple. In the epas section of the manifest, use the tde stanza to enable TDE, and set the Kubernetes secret to use that will hold the TDE encryption key.

For example:

  […]
  postgresql:
    epas:
      tde:
        enabled: true
        secretKeyRef:
          name: tde-key
          key: key

You can find the full example in cluster-example-tde.yaml Note that this file also contains the definition of the Secret to hold the encryption key.

With TDE activated, both the file disks for tables, as well as WAL files, will be encrypted.