Releases: commandprompt/open_pg_tde
Release list
open_pg_tde 2.4.0
open_pg_tde 2.4.0 is a security hardening release. It resolves the findings of an internal security review of the extension and the core patch, and runs on upstream PostgreSQL 16, 17, and 18. No vendor server fork is required: you apply the gated core patch to a stock PostgreSQL source tree and build the extension against it.
Full release notes: https://commandprompt.github.io/open_pg_tde/latest/release-notes/release-notes-v2.4.0/
Highlights since 2.3.0
- Authenticated key metadata.
key_base_ivis now part of the AEAD additional authenticated data for the relation key map file (version 5 to 6) and the WAL key file (version 2 to 3), so altering it on disk is detected when the key is read. Both formats migrate automatically at server start. - XTS-only data ciphers. The AES-CBC options for
open_pg_tde.data_cipherwere removed; data files always use a length-preserving XTS cipher (aes_xtsdefault,aes_256_xts, orinherit). - Hardened temporary file encryption. Each temporary file mixes a value unique to that file into the cipher tweak, so two files that hold the same data no longer produce the same ciphertext.
- KMIP server certificate verification. The KMIP provider verifies the server's TLS certificate (peer verification, host name or IP match, TLS 1.2 or later).
- Key management hardening. The OpenBao provider no longer follows HTTP redirects; the command-line tools write WAL files with owner-only (0600) permissions; input and bounds handling in the command-line key provider tool were hardened.
- Key material is zeroized. Relation and principal key buffers are wiped from memory after use.
- Faster page encryption. The AES key schedule is reused across a relation's pages instead of being rebuilt for each page.
- Threat model. Documents that an unlogged table's init and main forks share the data-file tweak, which is required by PostgreSQL's crash-time reset of unlogged relations.
Upgrading
This release changes on-disk key file formats. The upgrade is one way: once a cluster has started under 2.4.0 its key files are rewritten and are not read by 2.3.0. Take a file-level backup before upgrading.
- Key file migration is automatic on first start under 2.4.0.
- AES-CBC data cipher removed. If
open_pg_tde.data_cipheris set explicitly to a removed CBC value (aes_128oraes_256), change it toaes_xtsoraes_256_xtsbefore starting 2.4.0, or the server rejects the value. Tables already created with a CBC cipher stay readable with their recorded cipher.
Source tarballs
Each tarball is a complete source tree (including the libkmip submodule) carrying only the core patch for its PostgreSQL major:
| PostgreSQL | Tarball |
|---|---|
| 18 | open_pg_tde-2.4.0-pg18.tar.gz |
| 17 | open_pg_tde-2.4.0-pg17.tar.gz |
| 16 | open_pg_tde-2.4.0-pg16.tar.gz |
Verify with sha256sum -c SHA256SUMS. To build, apply the core patch to a matching stock PostgreSQL source tree (patches/postgresql/apply.sh) and build the extension against that install. See the documentation for details.
open_pg_tde 2.3.0
open_pg_tde 2.3.0 provides Transparent Data Encryption for upstream PostgreSQL 16, 17, and 18. No vendor server fork is required: you apply the gated core patch to a stock PostgreSQL source tree and build the extension against it.
Highlights since 2.2.0
- Native PostgreSQL 16, 17, and 18 through the gated core patch (
patches/postgresql/<major>/). With the flag off, the tree builds as unmodified PostgreSQL. - Temporary file encryption (
encrypt_temp_files), AES-128-XTS with a memory-only per-boot key. - AES-256-XTS data cipher (
open_pg_tde.data_cipher = aes_256_xts), alongside AES-128-XTS and the CBC ciphers. - FIPS enforcement (
open_pg_tde.require_fips): all cryptography uses FIPS-approved modes. - New documentation: threat model, FIPS compliance, comparison with Percona pg_tde, and a performance baseline.
- Data-checksum torn-page safety, with a startup warning when neither data checksums nor
wal_log_hintsis enabled.
Source tarballs
Each tarball is a complete source tree (including the libkmip submodule) carrying only the core patch for its PostgreSQL major:
| PostgreSQL | Tarball |
|---|---|
| 18 | open_pg_tde-2.3.0-pg18.tar.gz |
| 17 | open_pg_tde-2.3.0-pg17.tar.gz |
| 16 | open_pg_tde-2.3.0-pg16.tar.gz |
Verify with sha256sum -c SHA256SUMS. To build, apply the core patch to a matching stock PostgreSQL source tree (patches/postgresql/apply.sh) and build the extension against that install. See documentation/docs/install-from-source.md.