This Cybertec patch to PostgreSQL is currently the only implementation out there, to fully support transparent and cryptographically safe data (cluster) level encryption, independent of operating system or file system encryption.

How does the encryption work?

The idea behind the patch is to store all the files making up a PostgreSQL cluster securely on disk in encrypted format (data-at-rest encryption) and then decrypt blocks as they are read from disk. However the data is unencrypted in memory. This only requires that the database is initialized with encryption in mind and that the key used for initializing the database is accessible to the server during startup. The encryption-key can be provided through a special configuration parameter specifying a custom key setup command for implementing special security requirements.

The following characteristics should be considered by anyone who is interested to enable this feature:

1. The encryption is transparent from the application’s point of view.

2. A single key is used to encrypt the whole cluster.

 

Details

Since the data is stored on a disk, we naturally base our approach on “Disk Encryption Theory”. For each type of file, we use the AES cipher in the appropriate mode of operation. The AES cipher itself encrypts/decrypts individual blocks (encryption blocks) in the most efficient way possible. Your data will be safe on disk.

Fortuntely Intel and AMD offer superior hardware support for AES encryption. This ensures that the performance impact of PostgreSQL TDE is minimal. We have seen systems encrypting and decrypting gigabytes of data per second on modern servers. Given a typical workload, the impact of TDE on performance is basically irrelevant.

 

Encrypting your entire database eco-system

Security is not an isolated issue. To really secure a system, many layers must be considered and it must be ensured that all components are covered. PostgreSQL TDE is therefore the ideal solution for your infrastructure.

PostgreSQL TDE does not only provide data at rest encryption, but also ensures encryption of the entire ecosystem including …

  • Transport encryption (client / server) via SSL
  • Encrypted replication
  • Fully secured replicas

PostgreSQL TDE integrates perfectly into SELinux and provides a solid foundation for your entire infrastructure. In addition, all functions of standard PostgreSQL are available.

License

PostgreSQL License

PostgreSQL instance level encryption Download

Download  this tool for free.

Download

FAQ

Q: What is actually being encrypted?
A: Everything except pg_stat_statements extension data and transaction metadata.

Q: What is the encryption method used?
A: Industry standard 128-bit XTS-AES block cipher.

Q: Can I use another encryption method?
A: No, but if needed we can build support for it.

Q: What is the expected performance penalty?
A: Encryption is accelerated with hardware instructions where available and only applied on I/O. Typical encryption and decryption speed is 5GB/s per CPU core on modern hardware, higher than I/O speed of best available SSD devices. On normal workloads the overhead from encryption is not measurable.

Q: Can I upgrade to an encrypted database?
A: In place encryption of existing clusters is currently not supported. A dump and reload to an encrypted instance is required, or logical replication can be used to perform the migration online.

Q: Is it possible to encrypt only certain tables / tablespaces to win on performance?
A: Currently no. It could theoretically be added later, but as transaction log wants to be anyways fully encrypted and all changes normally go through there, it probably would not be a silver bullet.

Q: Is it possible to change the encryption key for cases when it gets compromised.
A: Currently, one should re-initialize a new cluster and dump / restore. However, you can use the key setup command to implement an encrypted key store and passphrase rotation for the master key.

Q: Does it integrate with my HSM?
A: No, but if needed we can build support for it.