Overview

If you want to start using Transparent Data Encryption (TDE) on your database, you either want to create a new TDE-enabled database server, or you want to migrate an existing database server to a TDE-enabled environment. It is not possible to enable TDE on existing instances.

Regardless of whether you are creating a database server from scratch, or creating a new instance to migrate an existing database server, you have to create a TDE-enabled database by initializing a database cluster using initdb.

Before you begin

• Choose a method to secure the data encryption key generated by TDE.

  You can protect they key with a passphrase, a wrapping key from a key store or choose not protect the key for testing purposes.

• Review the initdb TDE options to ensure you have all information required for the initialization of a TDE-enabled database cluster.

• Review the Limitations and TDE-specific options to understand limitations and changes in the handling of PostgreSQL utilities when you enable TDE.

• If you plan on migrating data from an existing database server, ensure you perform a backup of the source database server.

Initializing a server

1. Export the wrapping and unwrapping commands to secure the encryption key. Use the wrapping method you chose during the planning phase.

   Alternatively, you can provide the wrapping and unwrapping commands when initializing the server with the command line arguments.

   See Providing the wrapping and unwrapping commands for examples.

2. Initialize a database server with --data-encryption enabled on the target directory. Include other TDE options as required.

3. Start the database cluster and verify that TDE is enabled.

See Tutorials for detailed initialization examples.

Migrating data (for existing instances)

If you want to migrate data and objects from an existing database server, use pg_upgrade to copy data from an exiting instance:

1. Stop both the source and new server.

2. Use pg_upgrade with --copy-by-block option to copy data from the source server to the new server. Include other TDE pg_upgrade options as required.

3. Start the new encrypted database server.

4. Connect to the encrypted database server and ensure the data was transfered.

5. Perform any required cleanup operations.

See Tutorials for detailed migration examples.

Tutorials

• Creating a TDE-enabled database server.
• Enabling TDE on an existing EDB Postgres Advanced Server database cluster.
• Upgrading a PostgreSQL database server to EDB Postgres Extended Server while enabling TDE.

• On this page
• Before you begin
• Initializing a server
• Migrating data (for existing instances)
• Tutorials