Overview
If you want to start using Transparent Data Encryption (TDE) on your database, you'll want to either create a TDE-enabled database server or migrate an existing database server to a TDE-enabled environment. It isn't possible to enable TDE on existing instances.
Regardless of whether you're creating a database server from scratch or creating an instance to migrate an existing database server, you have to create a TDE-enabled database by initializing a database cluster using initdb.
Before you begin
Choose a method to secure the data encryption key generated by TDE.
You can protect the key with a passphrase or a wrapping key from a key store. Or, for testing purposes, you can choose to not protect the key.
Review the initdb TDE options to ensure you have all information required for initializing a TDE-enabled database cluster.
Review Limitations and TDE-specific options to understand limitations and changes in the handling of PostgreSQL utilities when you enable TDE.
If you plan on migrating data from an existing database server, ensure you perform a backup of the source database server.
Initializing a server
Export the wrapping and unwrapping commands to secure the encryption key. Use the wrapping method you chose during the planning phase.
Alternatively, you can provide the wrapping and unwrapping commands when initializing the server with the command line arguments.
See Providing the wrapping and unwrapping commands for examples.
Initialize a database server with
--data-encryption
enabled on the target directory. Include other TDE options as required.Start the database cluster and verify that TDE is enabled.
See Tutorials for detailed initialization examples.
Migrating data (for existing instances)
If you want to migrate data and objects from an existing database server, use pg_upgrade to copy data from an existing instance.
Stop both the source and new server.
Use pg_upgrade with the
--copy-by-block
option to copy data from the source server to the new server. Include other TDE pg_upgrade options as required.Start the new encrypted database server.
Connect to the encrypted database server and ensure the data was transferred.
Perform any required cleanup operations.
Note
See TDE pg_upgrade use cases for an overview of the supported use cases for enabling and migrating.
See Tutorials for detailed migration examples.