Transparent Data Encryption (TDE) is a CYBERTEC encryption patch for PostgreSQL.

transparent data encryption (TDE)

It is currently the only implementation that supports transparent and cryptographically safe data (cluster) level encryption independent of operating system or file system encryption.

How does Transparent Data Encryption work?

The idea behind the patch is to store all the files which make up a PostgreSQL cluster securely on disk in an encrypted format (data-at-rest encryption) and then decrypt blocks as they are read from disk. However, the data is unencrypted in memory. This only requires that the database is initialized with encryption and that the key used for initializing the database is accessible to the server during startup. The encryption key can be provided through a special configuration parameter specifying a custom key setup command for implementing special security requirements.

The following characteristics should be considered by anyone who is interested in enabling this feature:

1. The encryption is transparent from the application’s point of view.

2. A single key is used to encrypt the whole cluster.



Since the data is stored on a disk, we naturally base our approach on “Disk Encryption Theory”. For each type of file, we use the AES cipher in the appropriate mode of operation. The AES cipher itself encrypts/decrypts individual blocks (encryption blocks) in the most efficient way possible. Your data will be safe on disk.

Fortunately, Intel and AMD offer superior hardware support for AES encryption. This ensures that the performance impact of PostgreSQL TDE is minimal. We have seen systems encrypting and decrypting gigabytes of data per second on modern servers. Given a typical workload, the impact of TDE on performance is essentially negligible.

Encrypting your entire database eco-system

Security is not an isolated issue. To really secure a system, many layers must be considered and it must be ensured that all components are covered. PostgreSQL TDE is therefore the ideal solution for your infrastructure.

PostgreSQL TDE not only provides data-at-rest encryption, but also ensures encryption of the entire ecosystem including …

  • Transport encryption (client / server) via SSL
  • Encrypted replication
  • Fully secured replicas

PostgreSQL TDE integrates perfectly into SELinux and provides a solid foundation for your entire infrastructure. In addition, all functions of standard PostgreSQL are available.

Transparent Data Encryption License

PostgreSQL License

PostgreSQL instance-level encryption download

Older PostgreSQL TDE versions can be downloaded for free from our website. For the latest versions, our sales team will be happy to provide you with a non-binding offer!

Download 12.3 Contact us


How to install PostgreSQL Transparent Data Encryption (TDE)

Read the full installation guide or directly download it as a PDF:

Read installation guide

Report any bugs to

PostgreSQL TDE performance

Check out the performance analysis that compares PostgreSQL v13 with PostgreSQL Transparent Data Encryption.

PostgreSQL Performance: encrypted vs. unencryped


Q: What is actually being encrypted?
A: Everything except pg_stat_statements extension data and transaction metadata.

Q: What is the encryption method used?
A: Industry standard 128-bit AES-CTR cipher.

Q: Can I use another encryption method?
A: No, but if needed we can build support for it.

Q: What is the expected performance penalty?
A: Encryption is accelerated with hardware instructions where available and only applied on I/O. Typical encryption and decryption speed is 5GB/s per CPU core on modern hardware, higher than I/O speed of best available SSD devices. On normal workloads the overhead from encryption is not measurable.

Q: Can I upgrade to an encrypted database?
A: In place encryption of existing clusters is currently not supported. A dump and reload to an encrypted instance is required, or logical replication can be used to perform the migration online.

Q: Is it possible to encrypt only certain tables / tablespaces to win on performance?
A: Currently no. It could theoretically be added later, but as transaction log wants to be fully encrypted anyways and all changes normally go through there, it probably would not be a silver bullet.

Q: Is it possible to change the encryption key for cases when it gets compromised.
A: Currently, one should re-initialize a new cluster and dump / restore. However, you can use the key setup command to implement an encrypted key store and passphrase rotation for the master key.

Q: Does it integrate with my HSM?
A: No, but if needed we can build support for it.

Q: I found a bug. Where should I report that bug to?

A: Please directly report any bugs or problems with TDE to

Q: Is TDE available for PostgreSQL versions 12, 13 & 14?
A: Yes, TDE is now also available for PostgreSQL versions 12-14! Our sales team will be happy to provide you with a non-binding offer! Contact us with the button below for more details.

Contact us