From 4e348a0988bebb878479065fd5f89d153ef62b3a Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Fri, 13 Jun 2025 13:50:36 +0300 Subject: [PATCH 01/16] added release notes v1.0 Added the draft release notes for 1.0, updated mkdocs and release notes md with paths --- .../docs/release-notes/release-notes-v1.0.md | 34 +++++++++++++++++++ .../docs/release-notes/release-notes.md | 4 +++ contrib/pg_tde/documentation/mkdocs.yml | 1 + 3 files changed, 39 insertions(+) create mode 100644 contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md diff --git a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md new file mode 100644 index 0000000000000..099024eafa56f --- /dev/null +++ b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md @@ -0,0 +1,34 @@ +# pg_tde 1.0 ({{date.1.0}}) + +`pg_tde` extension brings in [Transparent Data Encryption (TDE)](../index/index.md) to PostgreSQL and enables you to keep sensitive data safe and secure. + +[Get Started](../install.md){.md-button} + +## Release Highlights + +This release provides the following features and improvements: + +* **Type Release Highhlights here** + +## Upgrade considerations + +`pg_tde` Release Candidate 2 is not backward compatible with `pg_tde` Beta2 due to significant changes in code. This means you cannot directly upgrade from one version to another. You must [uninstall](../how-to/uninstall.md) `pg_tde` Beta2 first and then [install](../install.md) and configure the new Release Candidate version. + +## Known issues + +* The default `mlock` limit on Rocky Linux 8 for ARM64-based architectures equals the memory page size and is 64 Kb. This results in the child process with `pg_tde` failing to allocate another memory page because the max memory limit is reached by the parent process. + +To prevent this, you can change the `mlock` limit to be at least twice bigger than the memory page size: + +* temporarily for the current session using the `ulimit -l ` command. +* set a new hard limit in the `/etc/security/limits.conf` file. To do so, you require the superuser privileges. + +Adjust the limits with caution since it affects other processes running in your system. + +## Changelog + +### New Features + +## Improvements + +### Bugs Fixed diff --git a/contrib/pg_tde/documentation/docs/release-notes/release-notes.md b/contrib/pg_tde/documentation/docs/release-notes/release-notes.md index f5306753eaa77..b81060b9305ca 100644 --- a/contrib/pg_tde/documentation/docs/release-notes/release-notes.md +++ b/contrib/pg_tde/documentation/docs/release-notes/release-notes.md @@ -2,6 +2,10 @@ `pg_tde` extension brings in [Transparent Data Encryption (TDE)](../index/index.md) to PostgreSQL and enables you to keep sensitive data safe and secure. + +* [Percona Transparent Data Encryption ({{date.1.0}})](release-notes-v1.0.md) +* [pg_tde 1.0 ({{date.1_0}})](release-notes-v1.0.md) +* [pg_tde Release Candidate 2 (RC2) ({{date.RC2}})](rc2.md) * [pg_tde Release Candidate 2 (RC2) ({{date.RC2}})](rc2.md) * [pg_tde Release Candidate ({{date.RC}})](rc.md) * [pg_tde Beta2 (2024-12-16)](beta2.md) diff --git a/contrib/pg_tde/documentation/mkdocs.yml b/contrib/pg_tde/documentation/mkdocs.yml index ab8c6e25236ff..7fedb5e01d6da 100644 --- a/contrib/pg_tde/documentation/mkdocs.yml +++ b/contrib/pg_tde/documentation/mkdocs.yml @@ -194,6 +194,7 @@ nav: - faq.md - "Release Notes": - "pg_tde release notes": release-notes/release-notes.md + - release-notes/release-notes-v1.0.md - release-notes/rc2.md - release-notes/rc.md - release-notes/beta2.md From b3d2982696a94be86867ced7ca91229ac2e77452 Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Fri, 13 Jun 2025 18:07:04 +0300 Subject: [PATCH 02/16] Update variables.yml updated release date and number --- contrib/pg_tde/documentation/variables.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/contrib/pg_tde/documentation/variables.yml b/contrib/pg_tde/documentation/variables.yml index 9d4aa480f8364..f0a38ed0c8edf 100644 --- a/contrib/pg_tde/documentation/variables.yml +++ b/contrib/pg_tde/documentation/variables.yml @@ -1,9 +1,10 @@ #Variables used throughout the docs -release: 'RC2' +release: '1.0' pgversion17: '17.5' tdebranch: TDE_REL_17_STABLE date: + date.1.0: '2025-05-29' RC2: '2025-05-29' RC: '2025-03-27' From ce895270e4aaaca1618836582601c3aad440d998 Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Mon, 16 Jun 2025 11:08:09 +0300 Subject: [PATCH 03/16] Update release-notes-v1.0.md small content update for upgrade considerations --- .../documentation/docs/release-notes/release-notes-v1.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md index 099024eafa56f..45373aea19c6b 100644 --- a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md +++ b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md @@ -12,7 +12,7 @@ This release provides the following features and improvements: ## Upgrade considerations -`pg_tde` Release Candidate 2 is not backward compatible with `pg_tde` Beta2 due to significant changes in code. This means you cannot directly upgrade from one version to another. You must [uninstall](../how-to/uninstall.md) `pg_tde` Beta2 first and then [install](../install.md) and configure the new Release Candidate version. +`pg_tde` 1.0 is not backward compatible with `pg_tde` Release Candidate 2 due to significant changes in code. This means you cannot directly upgrade from one version to another. You must [uninstall](../how-to/uninstall.md) `pg_tde` Release Candidate 2 first and then [install](../install.md) and configure the new 1.0 version. ## Known issues From 13a8311da51c0ae204667e38730eff4cc45947bf Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Mon, 16 Jun 2025 11:44:52 +0300 Subject: [PATCH 04/16] small fixes to variables version variable was funky, messing with mkdocs serve, so I fixed it --- .../documentation/docs/release-notes/release-notes-v1.0.md | 2 +- .../pg_tde/documentation/docs/release-notes/release-notes.md | 4 +--- contrib/pg_tde/documentation/variables.yml | 2 +- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md index 45373aea19c6b..82640651dd832 100644 --- a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md +++ b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md @@ -1,4 +1,4 @@ -# pg_tde 1.0 ({{date.1.0}}) +# pg_tde 1.0 ({{date.GA10}}) `pg_tde` extension brings in [Transparent Data Encryption (TDE)](../index/index.md) to PostgreSQL and enables you to keep sensitive data safe and secure. diff --git a/contrib/pg_tde/documentation/docs/release-notes/release-notes.md b/contrib/pg_tde/documentation/docs/release-notes/release-notes.md index b81060b9305ca..6df84ee886030 100644 --- a/contrib/pg_tde/documentation/docs/release-notes/release-notes.md +++ b/contrib/pg_tde/documentation/docs/release-notes/release-notes.md @@ -2,9 +2,7 @@ `pg_tde` extension brings in [Transparent Data Encryption (TDE)](../index/index.md) to PostgreSQL and enables you to keep sensitive data safe and secure. - -* [Percona Transparent Data Encryption ({{date.1.0}})](release-notes-v1.0.md) -* [pg_tde 1.0 ({{date.1_0}})](release-notes-v1.0.md) +* [Percona Transparent Data Encryption ({{date.GA10}})](release-notes-v1.0.md) * [pg_tde Release Candidate 2 (RC2) ({{date.RC2}})](rc2.md) * [pg_tde Release Candidate 2 (RC2) ({{date.RC2}})](rc2.md) * [pg_tde Release Candidate ({{date.RC}})](rc.md) diff --git a/contrib/pg_tde/documentation/variables.yml b/contrib/pg_tde/documentation/variables.yml index f0a38ed0c8edf..b29de96c19635 100644 --- a/contrib/pg_tde/documentation/variables.yml +++ b/contrib/pg_tde/documentation/variables.yml @@ -5,6 +5,6 @@ pgversion17: '17.5' tdebranch: TDE_REL_17_STABLE date: - date.1.0: '2025-05-29' + GA10: '2025-05-29' RC2: '2025-05-29' RC: '2025-03-27' From cc953010745081accaf2f6294cbe4a2c94dd0336 Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Mon, 16 Jun 2025 11:53:38 +0300 Subject: [PATCH 05/16] Update release-notes.md changed the title of the pdf to: Percona Transparent Database Encryption for PostgreSQL --- .../pg_tde/documentation/docs/release-notes/release-notes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/pg_tde/documentation/docs/release-notes/release-notes.md b/contrib/pg_tde/documentation/docs/release-notes/release-notes.md index 6df84ee886030..2e27bff039879 100644 --- a/contrib/pg_tde/documentation/docs/release-notes/release-notes.md +++ b/contrib/pg_tde/documentation/docs/release-notes/release-notes.md @@ -2,7 +2,7 @@ `pg_tde` extension brings in [Transparent Data Encryption (TDE)](../index/index.md) to PostgreSQL and enables you to keep sensitive data safe and secure. -* [Percona Transparent Data Encryption ({{date.GA10}})](release-notes-v1.0.md) +* [Percona Transparent Database Encryption for PostgreSQL ({{date.GA10}})](release-notes-v1.0.md) * [pg_tde Release Candidate 2 (RC2) ({{date.RC2}})](rc2.md) * [pg_tde Release Candidate 2 (RC2) ({{date.RC2}})](rc2.md) * [pg_tde Release Candidate ({{date.RC}})](rc.md) From 5088789577bec3a863ea131aee9f1b66eeb69d7a Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Mon, 16 Jun 2025 15:00:52 +0300 Subject: [PATCH 06/16] Update mkdocs.yml updated the ToC names to make them in line with style guide --- contrib/pg_tde/documentation/mkdocs.yml | 48 ++++++++++++------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/contrib/pg_tde/documentation/mkdocs.yml b/contrib/pg_tde/documentation/mkdocs.yml index 6e458f51b0bd7..f0af3a92e27a3 100644 --- a/contrib/pg_tde/documentation/mkdocs.yml +++ b/contrib/pg_tde/documentation/mkdocs.yml @@ -163,44 +163,44 @@ nav: - "Features": features.md - "Overview": - "What is Transparent Data Encryption (TDE)?": - - "TDE Overview": index/index.md - - "TDE Benefits": index/how-tde-helps.md - - "How TDE Works": index/how-does-tde-work.md - - "Encrypted Data Scope": index/tde-encrypts.md - - "Table Access Methods and TDE": index/table-access-method.md + - "TDE overview": index/index.md + - "TDE benefits": index/how-tde-helps.md + - "How TDE works": index/how-does-tde-work.md + - "Encrypted data scope": index/tde-encrypts.md + - "Table access methods and TDE": index/table-access-method.md - "Limitations of TDE": index/tde-limitations.md - - "Versions and Supported PostgreSQL Deployments": index/supported-versions.md - - "Get Started": + - "Versions and supported PostgreSQL deployments": index/supported-versions.md + - "Get started": - "1. Install pg_tde": install.md - "1.1 Via apt": apt.md - "1.2 Via yum": yum.md - "2. Configure pg_tde": setup.md - "2.1 Configure Key Management (KMS)": - "2.1 Configure Key Management (KMS)": global-key-provider-configuration/index.md - - "KMIP Configuration": global-key-provider-configuration/kmip-server.md - - "Fortanix Configuration": global-key-provider-configuration/kmip-fortanix.md - - "Vault Configuration": global-key-provider-configuration/vault.md - - "Thales Configuration": global-key-provider-configuration/kmip-thales.md - - "Keyring File Configuration": global-key-provider-configuration/keyring.md - - "2.2 Global Principal Key Configuration": global-key-provider-configuration/set-principal-key.md - - "3. Validate Encryption with pg_tde": test.md - - "4. Configure WAL Encryption (tech preview)": wal-encryption.md - - "Technical Reference": - - "Technical Reference": advanced-topics/index.md + - "KMIP configuration": global-key-provider-configuration/kmip-server.md + - "Fortanix configuration": global-key-provider-configuration/kmip-fortanix.md + - "Vault configuration": global-key-provider-configuration/vault.md + - "Thales configuration": global-key-provider-configuration/kmip-thales.md + - "Keyring file configuration": global-key-provider-configuration/keyring.md + - "2.2 Global principal key configuration": global-key-provider-configuration/set-principal-key.md + - "3. Validate encryption with pg_tde": test.md + - "4. Configure WAL encryption (tech preview)": wal-encryption.md + - "Technical reference": + - "Technical reference": advanced-topics/index.md - "Architecture": architecture/index.md - - "GUC Variables": variables.md + - "GUC variables": variables.md - "Functions": functions.md - - "TDE Operations": - - "pg_tde CLI Tools": - - "CLI Overview": command-line-tools/index.md + - "TDE operations": + - "pg_tde CLI tools": + - "CLI overview": command-line-tools/index.md - "pg_tde_change_key_provider": command-line-tools/pg-tde-change-key-provider.md - "pg_waldump": command-line-tools/pg-waldump.md - "pg_checksums": command-line-tools/pg-tde-checksums.md - "Uninstall pg_tde": how-to/uninstall.md - - "Configure Multi-tenancy": how-to/multi-tenant-setup.md - - "Decrypt an Encrypted Table": how-to/decrypt.md + - "Configure multi-tenancy": how-to/multi-tenant-setup.md + - "Decrypt an encrypted table": how-to/decrypt.md - faq.md - - "Release Notes": + - "Release notes": - "pg_tde release notes": release-notes/release-notes.md - release-notes/release-notes-v1.0.md - release-notes/rc2.md From 676a1e37e456dda419fb328836a74a3a6a90829b Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Mon, 16 Jun 2025 15:03:53 +0300 Subject: [PATCH 07/16] Update release-notes-v1.0.md small fix to versions, instead of RC2 I mentioned all previous versions --- .../documentation/docs/release-notes/release-notes-v1.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md index 82640651dd832..590545aa85793 100644 --- a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md +++ b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md @@ -12,7 +12,7 @@ This release provides the following features and improvements: ## Upgrade considerations -`pg_tde` 1.0 is not backward compatible with `pg_tde` Release Candidate 2 due to significant changes in code. This means you cannot directly upgrade from one version to another. You must [uninstall](../how-to/uninstall.md) `pg_tde` Release Candidate 2 first and then [install](../install.md) and configure the new 1.0 version. +`pg_tde` 1.0 is not backward compatible with previous `pg_tde` versions (like Release Candidate 2) due to significant changes in code. This means you cannot directly upgrade from one version to another. You must [uninstall](../how-to/uninstall.md) `pg_tde` first and then [install](../install.md) and configure the new 1.0 version. ## Known issues From 82f08687b053f860ae557d7660cb47db5a302dd7 Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Mon, 16 Jun 2025 15:21:04 +0300 Subject: [PATCH 08/16] small fixes updated variable with new release branch and fixed small release note name --- .../pg_tde/documentation/docs/release-notes/release-notes.md | 2 +- contrib/pg_tde/documentation/variables.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/release-notes/release-notes.md b/contrib/pg_tde/documentation/docs/release-notes/release-notes.md index 2e27bff039879..7a5175285dc82 100644 --- a/contrib/pg_tde/documentation/docs/release-notes/release-notes.md +++ b/contrib/pg_tde/documentation/docs/release-notes/release-notes.md @@ -2,7 +2,7 @@ `pg_tde` extension brings in [Transparent Data Encryption (TDE)](../index/index.md) to PostgreSQL and enables you to keep sensitive data safe and secure. -* [Percona Transparent Database Encryption for PostgreSQL ({{date.GA10}})](release-notes-v1.0.md) +* [Percona Transparent Database Encryption for PostgreSQL 1.0 ({{date.GA10}})](release-notes-v1.0.md) * [pg_tde Release Candidate 2 (RC2) ({{date.RC2}})](rc2.md) * [pg_tde Release Candidate 2 (RC2) ({{date.RC2}})](rc2.md) * [pg_tde Release Candidate ({{date.RC}})](rc.md) diff --git a/contrib/pg_tde/documentation/variables.yml b/contrib/pg_tde/documentation/variables.yml index b29de96c19635..69b6c9a300813 100644 --- a/contrib/pg_tde/documentation/variables.yml +++ b/contrib/pg_tde/documentation/variables.yml @@ -2,7 +2,7 @@ release: '1.0' pgversion17: '17.5' -tdebranch: TDE_REL_17_STABLE +tdebranch: release-17.5.2 date: GA10: '2025-05-29' From 6e8879f81279355b2f76edb18dc4e951b22a1b46 Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Wed, 18 Jun 2025 13:22:06 +0300 Subject: [PATCH 09/16] updated rn and variables added new variable pg_tde version updated rn to say we need a clean install of pg_tde not just uninstall --- .../documentation/docs/release-notes/release-notes-v1.0.md | 4 ++-- contrib/pg_tde/documentation/variables.yml | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md index 590545aa85793..41d6cf8263c6c 100644 --- a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md +++ b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md @@ -8,11 +8,11 @@ This release provides the following features and improvements: -* **Type Release Highhlights here** +* **Type Release Highlights here** ## Upgrade considerations -`pg_tde` 1.0 is not backward compatible with previous `pg_tde` versions (like Release Candidate 2) due to significant changes in code. This means you cannot directly upgrade from one version to another. You must [uninstall](../how-to/uninstall.md) `pg_tde` first and then [install](../install.md) and configure the new 1.0 version. +`pg_tde` {{tdeversion}} is not backward compatible with previous `pg_tde` versions (like Release Candidate 2) due to significant changes in code. This means you cannot directly upgrade from one version to another. You must do **a clean installation** of `pg_tde`. ## Known issues diff --git a/contrib/pg_tde/documentation/variables.yml b/contrib/pg_tde/documentation/variables.yml index 69b6c9a300813..42e367d1a2530 100644 --- a/contrib/pg_tde/documentation/variables.yml +++ b/contrib/pg_tde/documentation/variables.yml @@ -1,5 +1,6 @@ #Variables used throughout the docs +tdeversion: '1.0' release: '1.0' pgversion17: '17.5' tdebranch: release-17.5.2 From 0686a692510624f7b575e1d1dae3634c493100f4 Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Thu, 26 Jun 2025 13:09:58 +0300 Subject: [PATCH 10/16] Update release-notes-v1.0.md small update to Upgrade Considerations, updated Release highlights --- .../docs/release-notes/release-notes-v1.0.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md index 41d6cf8263c6c..14a99e829c741 100644 --- a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md +++ b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md @@ -8,11 +8,19 @@ This release provides the following features and improvements: -* **Type Release Highlights here** +* **Major documentation updates** + +The `pg_tde` documentation has received significant updates, which include: + +- New KMS configuration guides for Fortanix, Vault, KMIP and OpenBAO +- Reorganized and expanded topics for Architecture, GUC, Functions and FAQ +- Extensive and numerous refinements and clarifications across the entire site + +Explore the full documentation [in the official `pg_tde` documentations](https://docs.percona.com/pg-tde/index.html). ## Upgrade considerations -`pg_tde` {{tdeversion}} is not backward compatible with previous `pg_tde` versions (like Release Candidate 2) due to significant changes in code. This means you cannot directly upgrade from one version to another. You must do **a clean installation** of `pg_tde`. +`pg_tde` {{tdeversion}} is **not** backward compatible with previous `pg_tde` versions, like Release Candidate 2, due to significant changes in code. This means you **cannot** directly upgrade from one version to another. You must do **a clean installation** of `pg_tde`. ## Known issues From 811271614a131a7a2e57675802b5e54887390970 Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Fri, 27 Jun 2025 12:22:01 +0300 Subject: [PATCH 11/16] new tickets and highlights added new ticket items and highlights, fixed mkdocs TOC structure and update date --- .../docs/release-notes/release-notes-v1.0.md | 64 +++++++++++++++++-- contrib/pg_tde/documentation/mkdocs.yml | 13 ---- contrib/pg_tde/documentation/variables.yml | 2 +- 3 files changed, 60 insertions(+), 19 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md index 14a99e829c741..ccb6ccc21772c 100644 --- a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md +++ b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md @@ -1,19 +1,37 @@ # pg_tde 1.0 ({{date.GA10}}) -`pg_tde` extension brings in [Transparent Data Encryption (TDE)](../index/index.md) to PostgreSQL and enables you to keep sensitive data safe and secure. +The `pg_tde` by Percona extension brings in [Transparent Data Encryption (TDE)](../index/index.md) to PostgreSQL and enables you to keep sensitive data safe and secure. [Get Started](../install.md){.md-button} ## Release Highlights -This release provides the following features and improvements: +* **Streaming and logical replication compatibility** + +You can now use `pg_tde` in replication setups. + +* **Improved performance testing & automation** + +Bare-metal fuzz testing, performance benchmarking with CI/CD pipelines, and daily reporting integrations with Grafana and InfluxDB help ensure robustness and transparency. + +* **Key management enhancements** + +Added SQL-level functions and CLI tools for rotating, validating, and managing encryption keys. Now more compliant with PostgreSQL standards. + +* **Better developer experience** + +Contributor guides, PostgreSQL-style CLI, static analysis integration (Clang), and extensive refactoring improve maintainability and onboarding for new contributors. + +* **Security hardened** + +Sensitive metadata redaction, improved error messages, proper SQLSTATE codes, and stricter key validation increase security and clarity. * **Major documentation updates** The `pg_tde` documentation has received significant updates, which include: -- New KMS configuration guides for Fortanix, Vault, KMIP and OpenBAO -- Reorganized and expanded topics for Architecture, GUC, Functions and FAQ +- New configuration guides for Fortanix, Vault, KMIP and OpenBAO +- Reorganized and expanded topics for Architecture, GUC, Functions, TDE Operations and FAQ - Extensive and numerous refinements and clarifications across the entire site Explore the full documentation [in the official `pg_tde` documentations](https://docs.percona.com/pg-tde/index.html). @@ -37,6 +55,42 @@ Adjust the limits with caution since it affects other processes running in your ### New Features -## Improvements +- [PG-802](https://perconadev.atlassian.net/browse/PG-802) – Documented setting up streaming replication with `pg_tde` +- [PG-829](https://perconadev.atlassian.net/browse/PG-829) – Refactored and simplified key map code +- [PG-836](https://perconadev.atlassian.net/browse/PG-836) – Added custom wait events to writing to key files and key provider files +- [PG-1257](https://perconadev.atlassian.net/browse/PG-1257) – Added SQL function to remove the current principal key +- [PG-1292](https://perconadev.atlassian.net/browse/PG-1292) – Added a CI/CD performance test job in PSP GH repo +- [PG-1316](https://perconadev.atlassian.net/browse/PG-1316) – Integrated daily automated Performance Results with InfluxDB and Grafana +- [PG-1351](https://perconadev.atlassian.net/browse/PG-1351) – Documented how to decrypt old backups after the principal key was rotated +- [PG-1443](https://perconadev.atlassian.net/browse/PG-1443) – Made `pg_tde_change_key_provider` CLI utility follow PostgreSQL coding style +- [PG-1448](https://perconadev.atlassian.net/browse/PG-1448) – `pg_tde` now uses jsonc instead of the internal json API +- [PG-1464](https://perconadev.atlassian.net/browse/PG-1464) – Integrated the clang static analyzer for `pg_tde` + +### Improvements + +- [PG-953](https://perconadev.atlassian.net/browse/PG-953) – The tdemap code now allows the creation of duplicate keys +- [PG-1435](https://perconadev.atlassian.net/browse/PG-1435) – Improved error message explanations +- [PG-1499](https://perconadev.atlassian.net/browse/PG-1499) – Enhanced encryption metadata visibility in `pg_tde` +- [PG-1527](https://perconadev.atlassian.net/browse/PG-1527) – Added proper error codes for error messages in `pg_tde` +- [PG-1617](https://perconadev.atlassian.net/browse/PG-1617) – Removed relation key cache +- [PG-1635](https://perconadev.atlassian.net/browse/PG-1635) – User-facing TDE functions now return void ### Bugs Fixed + +- [PG-1581](https://perconadev.atlassian.net/browse/PG-1581) – Fixed PostgreSQL crashes on table access when KMIP key is unavailable after restart +- [PG-1583](https://perconadev.atlassian.net/browse/PG-1583) – Fixed a crash when dropping the `pg_tde` extension with CASCADE after changing the key provider file +- [PG-1585](https://perconadev.atlassian.net/browse/PG-1585) – Fixed the vault provider re-addition that failed after server restart with a new token +- [PG-1592](https://perconadev.atlassian.net/browse/PG-1592) – Improve error logs when Server Key Info is requested without being created +- [PG-1593](https://perconadev.atlassian.net/browse/PG-1593) – Fixed runtime failures when invalid Vault tokens are allowed during key provider creation +- [PG-1600](https://perconadev.atlassian.net/browse/PG-1600) – Fixed Postmaster error when dropping a table with an unavailable key provider +- [PG-1605](https://perconadev.atlassian.net/browse/PG-1605) – Fixed the creation of undeclared dependencies for `pg_tde_grant_database_key_management_to_role()` +- [PG-1606](https://perconadev.atlassian.net/browse/PG-1606) – Fixed missing superuser check in role grant function leads to misleading errors +- [PG-1607](https://perconadev.atlassian.net/browse/PG-1607) – Made CA parameter optional when Vault server runs without SSL +- [PG-1608](https://perconadev.atlassian.net/browse/PG-1608) – Updated and fixed global key configuration parameters in documentation +- [PG-1613](https://perconadev.atlassian.net/browse/PG-1613) – Fixed the `pg_tde_change_key_provider` CLI tool +- [PG-1637](https://perconadev.atlassian.net/browse/PG-1637) – Fixed unused keys in key files which caused issues after OID wraparound +- [PG-1651](https://perconadev.atlassian.net/browse/PG-1651) – Fixed the CLI tool when working with Vault key export/import +- [PG-1652](https://perconadev.atlassian.net/browse/PG-1652) – Fixed when the server fails to find encryption keys after CLI-based provider change +- [PG-1662](https://perconadev.atlassian.net/browse/PG-1662) – Fixed the creation of inconsistent encryption status when altering partitioned tables +- [PG-1663](https://perconadev.atlassian.net/browse/PG-1663) – Fixed the indexes on partitioned tables which were not encrypted +- [PG-1700](https://perconadev.atlassian.net/browse/PG-1700) – Fixed the error hint when the principal key is missing diff --git a/contrib/pg_tde/documentation/mkdocs.yml b/contrib/pg_tde/documentation/mkdocs.yml index 007ad21017070..f0f97128c8082 100644 --- a/contrib/pg_tde/documentation/mkdocs.yml +++ b/contrib/pg_tde/documentation/mkdocs.yml @@ -177,18 +177,6 @@ nav: - "2. Configure pg_tde": setup.md - "2.1 Configure Key Management (KMS)": - "2.1 Configure Key Management (KMS)": global-key-provider-configuration/index.md -<<<<<<< pg-tde-release-notes-1.0 - - "KMIP configuration": global-key-provider-configuration/kmip-server.md - - "Fortanix configuration": global-key-provider-configuration/kmip-fortanix.md - - "Vault configuration": global-key-provider-configuration/vault.md - - "Thales configuration": global-key-provider-configuration/kmip-thales.md - - "Keyring file configuration": global-key-provider-configuration/keyring.md - - "2.2 Global principal key configuration": global-key-provider-configuration/set-principal-key.md - - "3. Validate encryption with pg_tde": test.md - - "4. Configure WAL encryption (tech preview)": wal-encryption.md - - "Technical reference": - - "Technical reference": advanced-topics/index.md -======= - "KMIP Configuration": global-key-provider-configuration/kmip-server.md - "Fortanix Configuration": global-key-provider-configuration/kmip-fortanix.md - "Vault Configuration": global-key-provider-configuration/vault.md @@ -199,7 +187,6 @@ nav: - "4. Configure WAL Encryption (tech preview)": wal-encryption.md - "Technical Reference": - "Overview": advanced-topics/index.md ->>>>>>> release-17.5.2 - "Architecture": architecture/index.md - "GUC variables": variables.md - "Functions": functions.md diff --git a/contrib/pg_tde/documentation/variables.yml b/contrib/pg_tde/documentation/variables.yml index 42e367d1a2530..2938e44a53a96 100644 --- a/contrib/pg_tde/documentation/variables.yml +++ b/contrib/pg_tde/documentation/variables.yml @@ -6,6 +6,6 @@ pgversion17: '17.5' tdebranch: release-17.5.2 date: - GA10: '2025-05-29' + GA10: '2025-06-30' RC2: '2025-05-29' RC: '2025-03-27' From 5228cd69679bb4d3c891378aa4a687af008f4387 Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Mon, 30 Jun 2025 12:55:24 +0300 Subject: [PATCH 12/16] Update release-notes-v1.0.md updated with GA mention and stable for encrypting relational data --- .../documentation/docs/release-notes/release-notes-v1.0.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md index ccb6ccc21772c..6942d59df5f86 100644 --- a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md +++ b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md @@ -6,6 +6,10 @@ The `pg_tde` by Percona extension brings in [Transparent Data Encryption (TDE)]( ## Release Highlights +* **`pg_tde` 1.0 is now **GA (Generally Available)** + +And **stable** for encrypting relational data in PostgreSQL using [Transparent Data Encryption (TDE)](../index/index.md). This milestone brings production-level data protection to PostgreSQL workloads. + * **Streaming and logical replication compatibility** You can now use `pg_tde` in replication setups. From 67c00d5b58e068a507538767986d676b474968c0 Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Mon, 30 Jun 2025 14:56:39 +0300 Subject: [PATCH 13/16] Update release-notes-v1.0.md removed highlights, removed tickets that were to do from list, added wal beta mention in highlights --- .../docs/release-notes/release-notes-v1.0.md | 38 ++----------------- 1 file changed, 3 insertions(+), 35 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md index 6942d59df5f86..f12f48f05b6af 100644 --- a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md +++ b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md @@ -10,35 +10,9 @@ The `pg_tde` by Percona extension brings in [Transparent Data Encryption (TDE)]( And **stable** for encrypting relational data in PostgreSQL using [Transparent Data Encryption (TDE)](../index/index.md). This milestone brings production-level data protection to PostgreSQL workloads. -* **Streaming and logical replication compatibility** +* **WAL encryption is still in Beta** -You can now use `pg_tde` in replication setups. - -* **Improved performance testing & automation** - -Bare-metal fuzz testing, performance benchmarking with CI/CD pipelines, and daily reporting integrations with Grafana and InfluxDB help ensure robustness and transparency. - -* **Key management enhancements** - -Added SQL-level functions and CLI tools for rotating, validating, and managing encryption keys. Now more compliant with PostgreSQL standards. - -* **Better developer experience** - -Contributor guides, PostgreSQL-style CLI, static analysis integration (Clang), and extensive refactoring improve maintainability and onboarding for new contributors. - -* **Security hardened** - -Sensitive metadata redaction, improved error messages, proper SQLSTATE codes, and stricter key validation increase security and clarity. - -* **Major documentation updates** - -The `pg_tde` documentation has received significant updates, which include: - -- New configuration guides for Fortanix, Vault, KMIP and OpenBAO -- Reorganized and expanded topics for Architecture, GUC, Functions, TDE Operations and FAQ -- Extensive and numerous refinements and clarifications across the entire site - -Explore the full documentation [in the official `pg_tde` documentations](https://docs.percona.com/pg-tde/index.html). +The WAL encryption feature is currently still in beta and is not effective unless explicitly enabled. **It is not yet production ready.** Do **not** enable this feature in production environments. ## Upgrade considerations @@ -61,20 +35,14 @@ Adjust the limits with caution since it affects other processes running in your - [PG-802](https://perconadev.atlassian.net/browse/PG-802) – Documented setting up streaming replication with `pg_tde` - [PG-829](https://perconadev.atlassian.net/browse/PG-829) – Refactored and simplified key map code -- [PG-836](https://perconadev.atlassian.net/browse/PG-836) – Added custom wait events to writing to key files and key provider files - [PG-1257](https://perconadev.atlassian.net/browse/PG-1257) – Added SQL function to remove the current principal key - [PG-1292](https://perconadev.atlassian.net/browse/PG-1292) – Added a CI/CD performance test job in PSP GH repo - [PG-1316](https://perconadev.atlassian.net/browse/PG-1316) – Integrated daily automated Performance Results with InfluxDB and Grafana -- [PG-1351](https://perconadev.atlassian.net/browse/PG-1351) – Documented how to decrypt old backups after the principal key was rotated -- [PG-1443](https://perconadev.atlassian.net/browse/PG-1443) – Made `pg_tde_change_key_provider` CLI utility follow PostgreSQL coding style -- [PG-1448](https://perconadev.atlassian.net/browse/PG-1448) – `pg_tde` now uses jsonc instead of the internal json API +- [PG-1351](https://perconadev.atlassian.net/browse/PG-1351) – Documented how to decrypt old backups after the principal key was rotated - [PG-1464](https://perconadev.atlassian.net/browse/PG-1464) – Integrated the clang static analyzer for `pg_tde` ### Improvements -- [PG-953](https://perconadev.atlassian.net/browse/PG-953) – The tdemap code now allows the creation of duplicate keys -- [PG-1435](https://perconadev.atlassian.net/browse/PG-1435) – Improved error message explanations -- [PG-1499](https://perconadev.atlassian.net/browse/PG-1499) – Enhanced encryption metadata visibility in `pg_tde` - [PG-1527](https://perconadev.atlassian.net/browse/PG-1527) – Added proper error codes for error messages in `pg_tde` - [PG-1617](https://perconadev.atlassian.net/browse/PG-1617) – Removed relation key cache - [PG-1635](https://perconadev.atlassian.net/browse/PG-1635) – User-facing TDE functions now return void From 628a61c87d4a80deff6f86d9532ef8c3d57652ca Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Mon, 30 Jun 2025 15:04:42 +0300 Subject: [PATCH 14/16] Update release-notes-v1.0.md small fix to GA header, removed extra ** --- .../documentation/docs/release-notes/release-notes-v1.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md index f12f48f05b6af..15247c724ac0f 100644 --- a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md +++ b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md @@ -6,7 +6,7 @@ The `pg_tde` by Percona extension brings in [Transparent Data Encryption (TDE)]( ## Release Highlights -* **`pg_tde` 1.0 is now **GA (Generally Available)** +* **`pg_tde` 1.0 is now GA (Generally Available)** And **stable** for encrypting relational data in PostgreSQL using [Transparent Data Encryption (TDE)](../index/index.md). This milestone brings production-level data protection to PostgreSQL workloads. From 4c71095fb7a8c3169cf36892e04bd2e04975d176 Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Mon, 30 Jun 2025 15:20:30 +0300 Subject: [PATCH 15/16] Update release-notes-v1.0.md removed non-feature tickets and a duplicate improvement ticket --- .../documentation/docs/release-notes/release-notes-v1.0.md | 7 ------- 1 file changed, 7 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md index 15247c724ac0f..431085550874b 100644 --- a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md +++ b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md @@ -33,17 +33,10 @@ Adjust the limits with caution since it affects other processes running in your ### New Features -- [PG-802](https://perconadev.atlassian.net/browse/PG-802) – Documented setting up streaming replication with `pg_tde` -- [PG-829](https://perconadev.atlassian.net/browse/PG-829) – Refactored and simplified key map code - [PG-1257](https://perconadev.atlassian.net/browse/PG-1257) – Added SQL function to remove the current principal key -- [PG-1292](https://perconadev.atlassian.net/browse/PG-1292) – Added a CI/CD performance test job in PSP GH repo -- [PG-1316](https://perconadev.atlassian.net/browse/PG-1316) – Integrated daily automated Performance Results with InfluxDB and Grafana -- [PG-1351](https://perconadev.atlassian.net/browse/PG-1351) – Documented how to decrypt old backups after the principal key was rotated -- [PG-1464](https://perconadev.atlassian.net/browse/PG-1464) – Integrated the clang static analyzer for `pg_tde` ### Improvements -- [PG-1527](https://perconadev.atlassian.net/browse/PG-1527) – Added proper error codes for error messages in `pg_tde` - [PG-1617](https://perconadev.atlassian.net/browse/PG-1617) – Removed relation key cache - [PG-1635](https://perconadev.atlassian.net/browse/PG-1635) – User-facing TDE functions now return void From f68b4688d24f7d7bb1b86080281d6e8ecd68aa3e Mon Sep 17 00:00:00 2001 From: Dragos Andriciuc Date: Mon, 30 Jun 2025 16:46:50 +0300 Subject: [PATCH 16/16] Update release-notes-v1.0.md --- .../documentation/docs/release-notes/release-notes-v1.0.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md index 431085550874b..96a7ce3b1ea2a 100644 --- a/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md +++ b/contrib/pg_tde/documentation/docs/release-notes/release-notes-v1.0.md @@ -39,6 +39,7 @@ Adjust the limits with caution since it affects other processes running in your - [PG-1617](https://perconadev.atlassian.net/browse/PG-1617) – Removed relation key cache - [PG-1635](https://perconadev.atlassian.net/browse/PG-1635) – User-facing TDE functions now return void +- [PG-1605](https://perconadev.atlassian.net/browse/PG-1605) – Removed undeclared dependencies for `pg_tde_grant_database_key_management_to_role()` ### Bugs Fixed @@ -48,11 +49,10 @@ Adjust the limits with caution since it affects other processes running in your - [PG-1592](https://perconadev.atlassian.net/browse/PG-1592) – Improve error logs when Server Key Info is requested without being created - [PG-1593](https://perconadev.atlassian.net/browse/PG-1593) – Fixed runtime failures when invalid Vault tokens are allowed during key provider creation - [PG-1600](https://perconadev.atlassian.net/browse/PG-1600) – Fixed Postmaster error when dropping a table with an unavailable key provider -- [PG-1605](https://perconadev.atlassian.net/browse/PG-1605) – Fixed the creation of undeclared dependencies for `pg_tde_grant_database_key_management_to_role()` - [PG-1606](https://perconadev.atlassian.net/browse/PG-1606) – Fixed missing superuser check in role grant function leads to misleading errors -- [PG-1607](https://perconadev.atlassian.net/browse/PG-1607) – Made CA parameter optional when Vault server runs without SSL +- [PG-1607](https://perconadev.atlassian.net/browse/PG-1607) – Improved CA parameter order and surrounding documentation for clearer interpretation - [PG-1608](https://perconadev.atlassian.net/browse/PG-1608) – Updated and fixed global key configuration parameters in documentation -- [PG-1613](https://perconadev.atlassian.net/browse/PG-1613) – Fixed the `pg_tde_change_key_provider` CLI tool +- [PG-1613](https://perconadev.atlassian.net/browse/PG-1613) – Tested and improved the `pg_tde_change_key_provider` CLI utility - [PG-1637](https://perconadev.atlassian.net/browse/PG-1637) – Fixed unused keys in key files which caused issues after OID wraparound - [PG-1651](https://perconadev.atlassian.net/browse/PG-1651) – Fixed the CLI tool when working with Vault key export/import - [PG-1652](https://perconadev.atlassian.net/browse/PG-1652) – Fixed when the server fails to find encryption keys after CLI-based provider change