The idea behind the Transparent Data Encryption is to store all the files which make up a PostgreSQL Enterprise Server cluster securely on disk in an encrypted format (data-at-rest encryption). It then decrypts blocks as they are read from disk. This only requires that the database is initialized with encryption and that the key used for initializing the database is accessible to the server during startup. A special configuration parameter provides command for implementing special security requirements.
The following characteristics should be considered by anyone interested in enabling this feature:
The encryption is transparent from the application’s point of view.
It uses a single key to encrypt the whole cluster. Supported encryption ciphers are AES (128, 192 si 256 bits) and 3DES (168 bits).
Since the data is stored on a disk, we naturally base our approach on "Disk Encryption Theory". For each type of file, we use the AES or 3DES ciphers in the appropriate mode of operation. The ciphers encrypt/decrypt individual blocks (encryption blocks) in the most efficient way possible. Your data will be safe on disk.
Fortunately, Intel and AMD offer superior hardware support for AES encryption. This ensures that TDE has a minimal performance impact. We have seen systems encrypting and decrypting gigabytes of data per second on modern servers. Given a typical workload, the impact of TDE on performance is essentially negligible.
TDE not only provides data-at-rest encryption, but also ensures encryption of the entire ecosystem including: