Percona Brings Transparent Data Encryption to Postgres
At KubeCon+CloudNativeCon North America last week, premium database service provider Percona demonstrated its new technology for encrypting data at rest on PostgreSQL database systems.
With the Transparent Data Encryption (TDE) extension (called pg_tde) for Percona for PostgreSQL, organizations can encrypt their sensitive data within their Postgres databases.
Addressing the Market Need for Open Source PostgreSQL TDE
“There was a gap in the market for at-rest data encryption for Postgres: We had a bunch of financial customers and interested financial users who had to buy this feature,” explained Blair Rampling, in a KubeCon boothside interview with TNS. “But they didn’t want that vendor lock-in. They wanted the open source version.”
TDE is “transparent” in that the encryption is invisible to the user and the schema. Data is entered and queried as per usual. Those snooping around the server without proper credentials, however, will see only the encrypted data, as it can only be unlocked through an on-board decryption engine. All the popular key management services are supported.
The overhead of encrypting and decrypting data is minimal.
The extension comes as part of the Percona’s own distribution for PostgreSQL, and is also recognized and supported by the company’s managed services, and consulting services. No additional licensing costs are needed to use the extension.
It is not available at this time for other versions of Postgres, the company may expand it for its vanilla Postgres itself at some point, pending community support, Rampling said.
Compliance Benefits With PostgreSQL Data Encryption
Such encryption will also help them meet strict compliance requirements such as GDPR, HIPAA, SOX, and PCI DSS v4.0. In such cases, it takes care of the requirements where encrypting data at the storage layer that Postgres itself uses is not sufficient.
According to Percona, other benefits include:
- Open Source and Production-Ready: Get the only open source TDE solution for PostgreSQL ready for production — no gated features, licenses, subscriptions, or closed source.
- Stronger Data Protection: Encrypt all database files on disk, ensuring sensitive information remains secure even if storage is compromised.
- Granular, User-Controlled Encryption: Gain ultimate flexibility with multi-tenant support and the ability to encrypt at the table level, utilizing unique keys for each database. You retain full control over your encryption strategy, choosing precisely what to protect without being forced into cluster-wide encryption.
- Seamless Integration: Deploy TDE without any changes to your application code. Modernize and secure your back-end without disrupting business operations.
- Centralized Key Management: Streamline key lifecycle management with integrations to leading Key Management Services (KMS) providers such as Hashicorp, Thales, Fortanix, and OpenBao, making it easier to enforce security policies and manage encryption keys securely.
- Effortless Online Encryption and Key Management: Integrate encryption seamlessly by simply adding a new extension and performing online encryption. Enjoy the convenience of online key rotation, ensuring continuous data protection with minimal operational overhead.
- Trusted Support and Services: Strengthen PostgreSQL security with 24/7 Support and Services for deployment and ongoing management.
Percona specializes in offering premium (and distributions) for open source database systems. In addition to Postgres, the company also supports MySQL and MongoDB. It is also a supporting of the emerging Valkey, a fork of the Redis data cache.
