Skip to content
Percona Software for PostgreSQL Documentation

Test Transparent Data Encryption

To check if the data is encrypted, do the following:

Warning

This is the tech preview functionality. Its scope is not yet finalized and can change anytime. Use it only for testing purposes.

To check if the data is encrypted, do the following:

  1. Create a table in the database for which you have enabled pg_tde. Enabling pg_tde extension creates the table access method tde_heap. To enable data encryption, create the table using this access method as follows:

    CREATE TABLE <table_name> (<field> <datatype>) USING tde_heap;

    Warning: Example for testing purposes only:

    CREATE TABLE albums (
album_id INTEGER GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
artist_id INTEGER,
title TEXT NOT NULL,
released DATE NOT NULL
) USING tde_heap;

  2. Run the following function:

    SELECT pg_tde_is_encrypted('table_name');

    The function returns t if the table is encrypted and f - if not.

  3. Rotate the principal key when needed:

    SELECT pg_tde_rotate_principal_key(); -- uses automatic key versionin
-- or
SELECT pg_tde_rotate_principal_key('new-principal-key', NULL); -- specify new key name
-- or
SELECT pg_tde_rotate_principal_key('new-principal-key', 'new-provider'); -- changeprovider

  4. You can encrypt existing table. It requires rewriting the table, so for large tables, it might take a considerable amount of time.

    ALTER TABLE table_name SET access method  tde_heap;

Hint

If you no longer wish to use pg_tde or wish to switch to using the tde_heap_basic access method, see how you can decrypt your data.

Get expert help

If you need assistance, visit the community forum for comprehensive and free database knowledge, or contact our Percona Database Experts for professional support and services.

Community Forum Get a Percona Expert