TDE pg_upgrade use cases
EDB supports using pg_upgrade to add encryption to unencrypted systems. This table provides an overview of supported use cases.
Use case | Source unencrypted server | Target encrypted server |
---|---|---|
Perform a minor upgrade and add encryption | Unencrypted EDB Postgres Extended Server 16.1 | Encrypted EDB Postgres Extended Server 16.2 |
Change the Postgres distribution and add encryption | Unencrypted PostgreSQL 16 | Encrypted EDB Postgres Advanced Server 16 |
Maintain the Postgres distribution and add encryption | Unencrypted EDB Postgres Advanced Server 15 | Encrypted EDB Postgres Advanced Server 15 |
Maintain the Postgres distribution and rotate encryption keys | Encrypted EDB Postgres Advanced Server 15 | Encrypted EDB Postgres Advanced Server 15 with new encryption keys |
Important
Both source and target servers must be in the same Postgres major version. pg_upgrade
only supports upgrades between minor versions.
Overview
To enable encryption:
- Perform a backup of your system.
- Install the target Postgres version.
- Initialize a new server with TDE enabled.
- Use
pg_upgrade
with the--copy-by-block
option to upgrade to a TDE system.