Top
Enterprise Postgres 17 Operation Guide
Chapter 5 Protecting Storage Data Using Transparent Data Encryption > 5.4 Encrypting a Tablespace
PreviousNext

5.4 Encrypting a Tablespace

The keystore must be open before you can create an encrypted tablespace.

When creating a tablespace that will be encrypted, configure the encryption algorithm in the runtime parameters. For example, to create a tablespace with the name secure_tablespace using AES with a key length of 256 bits as the encryption algorithm, configure as shown below.

-- Specify the encryption algorithm for the tablespace to be created below
SET tablespace_encryption_algorithm = 'AES256';
CREATE TABLESPACE secure_tablespace LOCATION '/My/Data/Dir';
-- Specify that the tablespace to be created below is not to be encrypted
SET tablespace_encryption_algorithm = 'none';

Or

CREATE TABLESPACE secure_tablespace LOCATION '/My/Data/Dir' WITH (tablespace_encryption_algorithm = 'AES256' );

When the tablespace is empty, the encryption algorithm can be modified with the command below.

ALTER TABLESPACE secure_tablespace SET (tablespace_encryption_algorithm=AES256);

Trying to set the encryption algorithm for a non-empty tablespace causes an error.

You can use AES with a key length of 128 bits or 256 bits as the encryption algorithm. It is recommended that you use 256-bit AES. Refer to "Appendix A Parameters" for information on how to specify the runtime parameters.

If user provides both GUC and command line options while creating the tablespace, the preference is given to the command line option.

The pg_default and pg_global tablespaces cannot be encrypted.

Create tables and indexes in the encrypted tablespace that you created. Relations created in the encrypted tablespace are automatically encrypted.

Example

Example 1: Specifying an encrypted tablespace when creating it
CREATE TABLE my_table (...)
    TABLESPACE secure_tablespace;
Example 2: Not explicitly specifying a tablespace when creating it and instead using the default tablespace
SET default_tablespace = 'secure_tablespace';
CREATE TABLE my_table (...);

The process is the same for encrypting temporary tables and temporary indexes. In other words, either explicitly specify the TABLESPACE clause or list encrypted tablespaces in the temp_tablespaces parameter, and then execute CREATE TEMPORARY TABLE or CREATE INDEX.

Point

If an encrypted tablespace is specified in the TABLESPACE clause of the CREATE DATABASE statement, relations created in the database without explicitly specifying a tablespace will be encrypted. Furthermore, the system catalog will also be encrypted, so the source code of user-defined functions is also protected.

Example: Specifying a tablespace in a database definition statement
CREATE DATABASE DB01 TABLESPACE=SP01 ... ;

Part of the data is also stored in the system catalog - to encrypt this data as well, specify an encrypted tablespace as above and create a database.

An encrypted tablespace cannot be created from the window used for creating the pgAdmin tablespace, or from the query tool using a multi-command string. To create an encrypted tablespace, use psql console or a single command in the query tool such as that shown in the example below.

CREATE TABLESPACE tspace LOCATION '/some/dir/in/the/path' WITH (tablespace_encryption_algorithm='AES256')

PreviousNext
Copyright 2015-2024 Fujitsu Limited