Skip to content

Releases: commandprompt/open_pg_tde

open_pg_tde 2.4.0

Choose a tag to compare

@jdatcmd jdatcmd released this 16 Jul 14:26
c656256

open_pg_tde 2.4.0 is a security hardening release. It resolves the findings of an internal security review of the extension and the core patch, and runs on upstream PostgreSQL 16, 17, and 18. No vendor server fork is required: you apply the gated core patch to a stock PostgreSQL source tree and build the extension against it.

Full release notes: https://commandprompt.github.io/open_pg_tde/latest/release-notes/release-notes-v2.4.0/

Highlights since 2.3.0

  • Authenticated key metadata. key_base_iv is now part of the AEAD additional authenticated data for the relation key map file (version 5 to 6) and the WAL key file (version 2 to 3), so altering it on disk is detected when the key is read. Both formats migrate automatically at server start.
  • XTS-only data ciphers. The AES-CBC options for open_pg_tde.data_cipher were removed; data files always use a length-preserving XTS cipher (aes_xts default, aes_256_xts, or inherit).
  • Hardened temporary file encryption. Each temporary file mixes a value unique to that file into the cipher tweak, so two files that hold the same data no longer produce the same ciphertext.
  • KMIP server certificate verification. The KMIP provider verifies the server's TLS certificate (peer verification, host name or IP match, TLS 1.2 or later).
  • Key management hardening. The OpenBao provider no longer follows HTTP redirects; the command-line tools write WAL files with owner-only (0600) permissions; input and bounds handling in the command-line key provider tool were hardened.
  • Key material is zeroized. Relation and principal key buffers are wiped from memory after use.
  • Faster page encryption. The AES key schedule is reused across a relation's pages instead of being rebuilt for each page.
  • Threat model. Documents that an unlogged table's init and main forks share the data-file tweak, which is required by PostgreSQL's crash-time reset of unlogged relations.

Upgrading

This release changes on-disk key file formats. The upgrade is one way: once a cluster has started under 2.4.0 its key files are rewritten and are not read by 2.3.0. Take a file-level backup before upgrading.

  • Key file migration is automatic on first start under 2.4.0.
  • AES-CBC data cipher removed. If open_pg_tde.data_cipher is set explicitly to a removed CBC value (aes_128 or aes_256), change it to aes_xts or aes_256_xts before starting 2.4.0, or the server rejects the value. Tables already created with a CBC cipher stay readable with their recorded cipher.

Source tarballs

Each tarball is a complete source tree (including the libkmip submodule) carrying only the core patch for its PostgreSQL major:

PostgreSQL Tarball
18 open_pg_tde-2.4.0-pg18.tar.gz
17 open_pg_tde-2.4.0-pg17.tar.gz
16 open_pg_tde-2.4.0-pg16.tar.gz

Verify with sha256sum -c SHA256SUMS. To build, apply the core patch to a matching stock PostgreSQL source tree (patches/postgresql/apply.sh) and build the extension against that install. See the documentation for details.

open_pg_tde 2.3.0

Choose a tag to compare

@jdatcmd jdatcmd released this 07 Jul 23:23

open_pg_tde 2.3.0 provides Transparent Data Encryption for upstream PostgreSQL 16, 17, and 18. No vendor server fork is required: you apply the gated core patch to a stock PostgreSQL source tree and build the extension against it.

Highlights since 2.2.0

  • Native PostgreSQL 16, 17, and 18 through the gated core patch (patches/postgresql/<major>/). With the flag off, the tree builds as unmodified PostgreSQL.
  • Temporary file encryption (encrypt_temp_files), AES-128-XTS with a memory-only per-boot key.
  • AES-256-XTS data cipher (open_pg_tde.data_cipher = aes_256_xts), alongside AES-128-XTS and the CBC ciphers.
  • FIPS enforcement (open_pg_tde.require_fips): all cryptography uses FIPS-approved modes.
  • New documentation: threat model, FIPS compliance, comparison with Percona pg_tde, and a performance baseline.
  • Data-checksum torn-page safety, with a startup warning when neither data checksums nor wal_log_hints is enabled.

Source tarballs

Each tarball is a complete source tree (including the libkmip submodule) carrying only the core patch for its PostgreSQL major:

PostgreSQL Tarball
18 open_pg_tde-2.3.0-pg18.tar.gz
17 open_pg_tde-2.3.0-pg17.tar.gz
16 open_pg_tde-2.3.0-pg16.tar.gz

Verify with sha256sum -c SHA256SUMS. To build, apply the core patch to a matching stock PostgreSQL source tree (patches/postgresql/apply.sh) and build the extension against that install. See documentation/docs/install-from-source.md.