TDE pg_upgrade use cases

Suggest edits

EDB supports using pg_upgrade to add encryption to unencrypted systems. This table provides an overview of supported use cases.

Use caseSource unencrypted serverTarget encrypted server
Perform a minor upgrade and add encryptionUnencrypted EDB Postgres Extended Server 16.1Encrypted EDB Postgres Extended Server 16.2
Change the Postgres distribution and add encryptionUnencrypted PostgreSQL 16Encrypted EDB Postgres Advanced Server 16
Maintain the Postgres distribution and add encryptionUnencrypted EDB Postgres Advanced Server 15Encrypted EDB Postgres Advanced Server 15
Maintain the Postgres distribution and rotate encryption keysEncrypted EDB Postgres Advanced Server 15Encrypted EDB Postgres Advanced Server 15 with new encryption keys
Important

Both source and target servers must be in the same Postgres major version. pg_upgrade only supports upgrades between minor versions.

Overview

To enable encryption:

  1. Perform a backup of your system.
  2. Install the target Postgres version.
  3. Initialize a new server with TDE enabled.
  4. Use pg_upgrade with the --copy-by-block option to upgrade to a TDE system.

Tutorials

↑ Up

Transparent Data Encryption

Next →

TDE upgrade arguments