Enable pg_tde for securing data at rest

Percona Distribution for PostgreSQL Docker image includes the pg_tde extension to provide data encryption.

For more information, see the pg_tde documentation .

Enable pg_tde

1. Start the container as shown in Run in Docker, adding the following option to the docker run command:

   -c shared_preload_libraries=pg_tde
   

2. Connect to the container and start the interactive psql session:

   docker exec -it container-name psql -U postgres
   

   Sample output

   psql (18.3 - Percona Server for PostgreSQL 18.3)
   Type "help" for help.
   
   postgres=#
   

3. Create the extension in the database where you want to encrypt data. This requires superuser privileges.

   CREATE EXTENSION pg_tde;
   

   Sample output

   ```{.text .no-copy}
   postgres=# CREATE EXTENSION pg_tde;
   CREATE EXTENSION
   ```
   

4. Add the key provider by using a keyring file. This setup is intended for development and stores the keys unencrypted in the specified data file. The below sample configuration is intended for testing and development purposes only.

   Note

   For production use, we strongly recommend setting up an external key management store and configure an external key provider. Refer to the Setup topic in the pg_tde documentation.

   Warning

   This example is for testing purposes only.

   SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_001_basic.per');
   

5. Create the key:

   SELECT pg_tde_create_key_using_database_key_provider('test-db-key', 'file-vault');
   

6. Set the principal key:

   SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');
   

7. Create a table with encryption enabled. Pass the USING tde_heap clause to the CREATE TABLE command:

   CREATE TABLE <table_name> (<field> <datatype>) USING tde_heap;
   

   CREATE TABLE example

   CREATE TABLE test_users (
       user_id INT,
       username VARCHAR(50),
       email VARCHAR(100),
       signup_date DATE
   ) USING tde_heap;