How to check if TDE works?

Some days ago a customer asked me how to check if TDE works and files on disk are encrypted. So I installed a new virtual machine with Ubuntu and installed our PGEE-Demo on it. After installation, the new created cluster is unencrypted. So we can try to create a new table and insert one record on it with a short text. To make sure that the record is saved into the table file I called a checkpoint. To hexdump the table file I need to know the data directory and filepath, you can see all commands here:

So I've now exited psql and can create a hexdump of the table file.

We can see here that PostgreSQL has created an 8 Kbyte file that is initially completely filled with NULL values. At the beginning there is a small header that is of no further interest to us here.
The actual table data is written into the block from the back, and we can see our text here in plain text.

I will now delete the cluster and reinitialize it, this time encrypted. I completely follow the instructions here.

Now the cluster is running with encryption turned on, the command for the encryption key is in postgresql.conf:

I now start psql again to create a table like in the beginning, call a CHECKPOINT and get the path to the file:

Again I call hexdump on the table file:

The dump is now larger, but only because hexdump suppressed all NULL values in the unencrypted dump. So we see that the entire block is encrypted and not just the individual data record. So not only the text is encrypted, but also the entire free area of the table.

