Enabling TDE on an existing EDB Postgres Advanced Server cluster
Enabling TDE on an EDB Postgres Advanced Server cluster
Create a new EDB Postgres Advanced Server cluster with TDE enabled
and use pg_upgrade
to transfer data from the existing source cluster to the new encrypted cluster.
- Prepare your upgrade by performing a backup of the existing instance.
- Create a new database server
- Create an empty directory for the new server and ensure
enterprisedb
owns it. - Set the environment variables to export the
wrap
andunwrap
commands for encryption. - Initialize a server with encryption enabled.
- Change the default port, so the new server is available at another port.
- Start the database server.
- Connect to the database server and ensure it is functioning.
- Create an empty directory for the new server and ensure
- Upgrade to the encrypted server
- Stop both the source and the new server.
- Use
pg_upgrade
with--copy-by-block
option to copy data from the source server to the new server. Specify the source and target bin and data directories. - Start the new encrypted databaser server.
- Connect to the encrypted database server and ensure the data was transfered.
- Clean up and delete the source server
- Clean up the database and its statistics.
- Remove the source EDB Postgres Advanced Server cluster with the script provided by
pg_upgrade
.
Worked example
This example enables Transparent Data Encryption on an EDB Postgres Advanced Server version 16 running on an Ubuntu 22.04 machine.
A similar workflow applies to other versions of EDB Postgres Advanced Server and EDB Postgres Extended Server. Note that the location of the BIN and CONFIG directories differs depending on your operating system and the Postgres version.
Preparing your upgrade
Use pg_dumpall, pgBackRest, or Barman to create a backup of your unencrypted source server.
Creating an encrypted server
Create an empty directory for the new server. In this example, the directory name is
TDE
.Ensure the
enterprisedb
user owns the directory:Set environment variables to export the
wrap
andunwrap
commands:Note
Alternatively, use the
--key-unwrap-command=<command>
and--key-wrap-command=<command>
arguments when initializing the encrypted server to include thewrap
andunwrap
commands.See Using initdb TDE options for more information on possible configurations.
Initialize the new server with encryption:
This command initializes a CONFIG directory with all configuration files for the encrypted server.
Modify the port number in the configuration file of the encrypted instance. Uncomment the line with
#port
and change the port number. For example:Start the encrypted server:
Connect to the server:
Note
If you're using two different Postgres versions, use the psql utility of the encrypted server. Otherwise, the system will attempt to use psql from the previous instance.
To ensure the new server is encrypted, check for TDE presence.
Upgrading to the encrypted server
Stop both servers:
To test for incompatibilities, run the
pg_upgrade
command in check mode.With
-b
and-B
, specify the source and target BIN directories. With-d
and-D
, specify the source and target CONFIG directories. Include the--copy-by-block
option.Note
The
--check
mode performs preliminary checks without executing the command.To copy data from the source server to the target server, run the
pg_upgrade
command in normal mode:Restart the encrypted server:
Connect to the encrypted database server:
Perform a spot check to ensure the databases, tables, schemas, and resources you had in the unencrypted server are available in the new server. For example, list all databases:
Connect to a database, for example
hr
, and search for existing tables:
Cleaning up after upgrade
After you verify that pg_upgrade
encrypted the data successfully, perform a cleanup.
Clean up the database and its statistics:
Remove all data files of the unencrypted server with the script generated by
pg_upgrade
: