Transparent Data Encryption (TDE) is a CYBERTEC patch to PostgreSQL. It is currently the only implementation out there, to fully support transparent and cryptographically safe data (cluster) level encryption, independent of operating system or file system encryption.

How does the Transparent Data Encryption work?

The idea behind the patch is to store all the files making up a PostgreSQL cluster securely on disk in encrypted format (data-at-rest encryption) and then decrypt blocks as they are read from disk. However the data is unencrypted in memory. This only requires that the database is initialized with encryption in mind and that the key used for initializing the database is accessible to the server during startup. The encryption-key can be provided through a special configuration parameter specifying a custom key setup command for implementing special security requirements.

The following characteristics should be considered by anyone who is interested to enable this feature:

1. The encryption is transparent from the application’s point of view.

2. A single key is used to encrypt the whole cluster.