Demystifying Transparent Data Encryption (TDE) in EDB Postgres

Malik Tafheem — Sun, 23 Jul 2023 15:07:03 +0000

What is TDE?

In the simplest terms, TDE is a security measure that encrypts the data stored in your database system. The beauty of TDE is that it's completely transparent to the user. That means you don't have to modify your application or update client drivers to use it. It's like having a silent guardian for your data, working behind the scenes to keep it safe.

What Does TDE Encrypt?

TDE is quite thorough when it comes to encryption. It encrypts the files underlying tables, sequences, indexes, including TOAST tables and system catalogs, and including all forks. These files are known as data files. It also encrypts the write-ahead log (WAL) and various temporary files used during query processing and database system operation.
But it's also important to know what TDE doesn't encrypt. Metadata internal to operating the database system that doesn't contain user data, such as the transaction status, isn't encrypted. The file names and file system structure in the data directory, data in foreign tables, the server diagnostics log, and configuration files also remain unencrypted.

How Does TDE Work?

Now, let's get into the nitty-gritty. TDE encrypts the data files using AES-128-XTS. The WAL is encrypted using AES-128-CTR. Temporary files accessed by block are also encrypted using AES-128-XTS, and other temporary files are encrypted using AES-128-CBC.
EDB Postgres Advanced Server and EDB Postgres Extended Server provide hooks to key management that's external to the database. These hooks allow for simple passphrase encrypt/decrypt or integration with enterprise key management solutions. This means you have flexibility in how you manage your encryption keys.

Testing a TDE Configuration

If you're like me, you'll want to test out TDE before you fully commit. To run tests in single-user mode with TDE enabled, you can set the environment variable 'PG_TEST_USE_DATA_ENCRYPTION'. For example, you can use the command 'make check PG_TEST_USE_DATA_ENCRYPTION=1'. It's always good to test new features in a controlled environment before rolling them out.

Implications of TDE

There are a few things to keep in mind when using TDE. Any WAL fetched from a server using TDE, including by streaming replication and archiving, is encrypted. A physical replica is necessarily encrypted (or not encrypted) in the same way and using the same keys as its primary server. If a server uses TDE, a base backup is automatically encrypted.

Performance Impact

You might be wondering, "What's the catch?" Well, the performance impact of TDE is in line with the general overhead for AES encryption. But considering the added layer of security it provides, it's a trade-off many are willing to make.
In conclusion, TDE is a powerful tool in your data security toolkit. It provides an additional layer of security by encrypting data stored in the database system, preventing unauthorized viewing of data in operating system files on the database server and on backup storage.

To know more about TDE in EDB Postgres you can visit EDB docs.

That's it for today, folks! Remember, in the world of data, security is paramount. Stay safe and keep exploring!