Open source database software support and services company Percona has unveiled its Transparent Data Encryption (TDE) extension for PostgreSQL, a significant advancement aimed at securing sensitive data at rest while adhering to stringent compliance requirements. This innovative technology operates without incurring licensing fees or usage restrictions.
What is transparent encryption?
Transparent Data Encryption, or TDE, is specifically designed for data at rest, which refers to information stored on persistent storage volumes or disks. This method enables automatic encryption and decryption at the database layer, eliminating the need for modifications to applications or additional services. While primarily associated with database protection, TDE can also extend its capabilities to backups and transaction logs. The encryption keys utilized in TDE are stored separately from the data itself and can be safeguarded using certificates or other security mechanisms.
Percona emphasizes that it is delivering enterprise-grade encryption to the open source PostgreSQL community, allowing for seamless encryption of data at rest in a manner that remains “automatic and transparent” to applications.
The pg_tde extension is crafted for risk management and compliance, shielding sensitive data from unauthorized access and aiding organizations in meeting regulations such as GDPR, HIPAA, SOX, and PCI DSS v4.0. The latter regulation has established that mere storage encryption is no longer adequate for protecting “cardholder data” at rest.
Cardholder data (CHD) encompasses Personally Identifiable Information (PII) related to payment cards, including the Primary Account Number (PAN), cardholder name, expiration date, and service code.
Key functionalities
The central functionalities offered by Percona for PostgreSQL include the provision of the only open source TDE solution for PostgreSQL that is ready for production. Notably, there are no “gated features” or other licensing, subscription, or closed-source limitations.
- Users can encrypt all database files on disk.
- Multi-tenant support is available.
- Encryption can be applied at the database table level, with unique keys for each database.
Database administrators maintain complete control over their encryption strategies, allowing them to selectively protect data without being compelled to implement cluster-wide encryption.
Teams can deploy TDE without altering application code and can streamline key lifecycle management through integrations with leading Key Management Services (KMS) providers such as Hashicorp, Thales, Fortanix, and OpenBao. This integration simplifies the enforcement of security policies and the secure management of encryption keys.
Inside track from CTO
Liz Warner, CTO of Percona, highlights that encryption for data at rest is a necessity across various standards, regulations, and policies. While some, like PCI DSS, mandate it directly, others, such as GDPR, recommend encryption and impose penalties for the exposure of unencrypted data. Standards like ISO generally advocate for the encryption of sensitive information.
“Historically, TDE has not been available in the open source community version of PostgreSQL. If organizations wanted TDE, they had to resort to commercial products. At Percona, we recognized this gap as a significant barrier preventing customers from transitioning to PostgreSQL, so we developed pg_tde to provide this functionality within a fully open source framework. This empowers users to adopt PostgreSQL while remaining compliant with regulations, all without the need to rewrite applications or fall into vendor lock-in with proprietary TDE solutions,” explained Warner during a recent discussion with Techzine in London.
Warner elaborated on how pg_tde integrates into the broader PostgreSQL ecosystem, noting that it currently requires a patched PostgreSQL server. Percona supplies this server along with a suite of other extensions in its open source Percona Distribution for PostgreSQL, effectively bridging the gap for teams seeking a fully open source database that also necessitates encryption at rest.
How it works
“The necessity to utilize Percona Server for PostgreSQL with pg_tde arises from the requirement to interface with the Storage Manager (SMGR) API. This API allows PostgreSQL extensions to integrate custom storage managers and the Write Ahead Logging (WAL) Read/Write API, which are essential for enabling WAL encryption of indexes,” Warner explained.
Percona aims to extend pg_tde to Community PostgreSQL; however, this requires making the proposed patches available, a process that takes time. Some of the code necessary for this integration has already been contributed upstream to the PostgreSQL Community and is currently under review.
When asked why developers and DBAs should prioritize compliance, Warner noted that modern application developers are increasingly concerned about the security of applications—and by extension, databases. Compliance teams within organizations seek assurance that operations align with regulatory standards, which necessitates examining how digital services or applications function in practice. These applications must adhere to established best practices regarding security and compliance, alongside user experience and system design. However, the onus of these responsibilities often falls on developers, who are simultaneously tasked with building new functionalities and managing integrations with other systems.
Is data at rest safer?
While application-level encryption is frequently regarded as the most secure method for protecting data at rest—preventing even DBAs from accessing sensitive information—it often entails significant costs. Implementing such encryption typically requires constructing systems with this assumption from the outset, leading to ongoing maintenance expenses. For many organizations, especially those reliant on legacy systems or proprietary, off-the-shelf solutions where they lack control over the code, application-level encryption may not be a viable option.
“In these cases, database-level security solutions like TDE present a crucial alternative. TDE can alleviate the absence of application-level encryption by providing a robust security layer at the database level, effectively reducing the burden of needing application-level security. It offers organizations an additional option to establish a strong security posture while accepting some inherent risks, without necessitating extensive re-architecture for application-level encryption,” stated Warner.
Developers adore automation
Developers consistently seek ways to automate tasks, and compliance is no exception. Strategies such as policy as code or security as code enable teams to streamline compliance management over time. However, without a foundational understanding of how compliance integrates into existing infrastructure and technology stacks, achieving this automation can be challenging, potentially leading to increased burdens on developers over time.
“Ideally, developers can proactively address these requirements using open source projects that meet their needs, such as pg_tde. Nevertheless, this must be part of a broader compliance strategy that simplifies processes for developers rather than adding further responsibilities,” concluded Warner.
Currently, the pg_tde extension is included in the Percona Distribution for PostgreSQL. Percona also offers support for TDE as part of its PostgreSQL Support, Managed Services, and Consulting services to assist in the setup and configuration of the extension.
