Keep Calm - TDE for PostgreSQL 18 Is on Its Way!

If you’ve been following the buzz around PostgreSQL, you’ve probably already heard that database level open source data-at-rest encryption is now available thanks to the Transparent Data Encryption (TDE) extension available in the Percona Distribution for PostgreSQL. So naturally, the next question is:

Where’s Percona Distribution for PostgreSQL 18?

The short answer:

It’s coming.

The slightly longer one:

It’s taking a bit of time, for all the right reasons.

Why the delay?

We’ve been laser-focused on advancing pg_tde maturity, making it ready for your production workloads. We succeeded and now you can use Percona Distribution for PostgreSQL together with TDE on PROD! The next steps for us are: 1 Merging the changes to PostgreSQL 18. 2 Ensuring that the patches making TDE on PostgreSQL possible are accepted by PostgreSQL Community.

As part of both of these efforts, we took the time to thoroughly test TDE against PostgreSQL 18. During that process, we found that to use TDE on PostgreSQL 18 some extra work is needed to ensure the new Asynchronous I/O (AIO) feature works as designed. Since TDE extends the Storage Manager (SMGR), it needs to integrate smoothly with changes introduced by AIO and that’s something we focus on now and are definitely do not want to rush.

Percona stands for quality of services and products. Databases are the fundaments of the information systems, outside of security the most important values are stability and availability. To respect these values we chose not to push a major release just for the sake of timing, but instead to take the time to do things properly.

We’re planning to release TDE with the first minor patch of PostgreSQL 18, currently scheduled for November 13.

Taking our time responsibly

Most production users don’t deploy brand new major releases on day one. Typically before using a new major version on production we’ve seen a minimum on 1-2 minor releases for even the users we’ve seen fastest to adopt new versions.

That gives us a valuable window to make sure everything is rock-solid before it reaches your clusters. We’re using that time wisely: testing, aligning, and polishing so that when you upgrade to PostgreSQL 18 with Percona TDE, it’ll feel like it was part of the core all along.

Oh, and something new is brewing…

As PostgreSQL 18 introduces OAuth Authorization/Authentication we tried using it with OpenID Connect (OIDC). OIDC is an identity layer built on top of OAuth 2.0, adding user authentication to OAuth’s authorization capabilities.

We tried using OIDC from a number of providers and came to a conclusion that there’s currently no easy way of using it with PostgreSQL 18. The key missing component to make it work is a validator library that would allow to validate the identity tokens.

I’m happy to share what we started working on OIDC support for PostgreSQL, built on top of the OAuth support introduced in PG18. The first beta release of our OIDC validator library is coming soon, stay tuned for that!

How to help?

Easy, share your feedback!

• Have you tried pg_tde? Tell us what worked, what didn’t, and how it felt in real use.
• Looking for OIDC in PostgreSQL? We’d love your thoughts once the beta drops.
• Using pg_stat_monitor? Share how you’re using it and helps us make it better.

We’re invested to making open source databases more secure, flexible and ready for whatever you throw at them one careful step at a time. ∎