Releases: percona/pg_tde
Beta 1
The Beta version introduces the following bug fixes and improvements:
Fixed the issue with pg_tde running out of memory used for decrypted tuples. The fix introduces the new component TDEBufferHeapTupleTableSlot that keeps track of the allocated memory for decrypted tuples and frees this memory when the tuple slot is no longer needed.
Fixed the issue with adjusting a current position in a file by using raw file descriptor for the lseek function. (Thanks to user rainhard for providing the fix)
Enhanced the init script to consider a custom superuser for the POSTGRES_USER parameter when pg_tde is running via Docker (Thanks to Alejandro Paredero for reporting the issue)
Alpha 1
pg_tde release notes
Alpha 1 (2024-03-28)
pg_tde
extension brings in Transparent Data Encryption (TDE) to PostgreSQL and enables you to keep sensitive data safe and secure.
Release Highlights
The technical preview of the extension introduces the following key features:
-
You can now rotate master keys used for data encryption. This reduces the risk of long-term exposure to potential attacks and helps you comply with security standards such as GDPR, HIPAA, and PCI DSS.
-
You can now configure encryption differently for each database. For example, encrypt specific tables in some databases with different encryption keys while keeping others non-encrypted.
-
Keyring configuration has undergone several improvements, namely:
- You can define separate keyring configuration for each database
- You can change keyring configuration dynamically, without having to restart the server
- The keyring configuration is now stored in a catalog separately for each database, instead of a configuration file
- Avoid storing secrets in the unencrypted catalog by configuring keyring parameters to be read from external sources (file, http(s) request)
Improvements
- Renamed the repository and Docker image from
postgres-tde-ext
topg_tde
. The extension name remains unchanged - Changed the Initialization Vector (IV) calculation of both the data and internal keys
Bugs fixed
- Fixed toast related crashes
- Fixed a crash with the DELETE statement
- Fixed performance-related issues
- Fixed a bug where
pg_tde
sent many 404 requests to the Vault server - Fixed сompatibility issues with old OpenSSL versions
- Fixed сompatibility with old Curl versions
MVP (2023-12-12)
The Minimum Viable Product (MVP) version introduces the following functionality:
- Encryption of heap tables, including TOAST
- Encryption keys are stored either in Hashicorp Vault server or in local keyring file (for development)
- The key storage is configurable via separate JSON configuration files
- Replication support
HEAD
What's Changed
- Basic encryption code by @dutow in #2
- Fix compilation with PGXS by @dAdAbird in #3
- Remove full tuple encrytion by @dAdAbird in #4
- Adding basic github actions which test different build modes by @dutow in #7
- Use postgres mem context in decryption by @dAdAbird in #6
- Code re-arrangement, Makefile fixes and implementing '.tde' relation fork by @codeforall in #5
- Revert changes in upstream code and use specific commits for CI checks by @dutow in #11
- Adding infrastructure to clean files based on transaction status by @codeforall in #10
- Minimal keyring prototype by @dutow in #8
- Fixing page pruning / compaction crash by @dutow in #15
- Merge with the latest PG 16 sources as well as addition of the heap_merge.sh tool by @EngineeredVirus in #18
- Added documentation by @dutow in #17
- Deleting respective tde fork file with Drop Table by @codeforall in #19
- Merge current code to main branch by @dutow in #20
- Fix VACUUM FULL by @dAdAbird in #22
- Fix compaction of non-presorted tuples by @dAdAbird in #21
- Uploading pgdg binary package by @dutow in #23
New Contributors
- @codeforall made their first contribution in #5
- @EngineeredVirus made their first contribution in #18
Full Changelog: https://github.com/Percona-Lab/postgres-tde-ext/commits/latest