pgtde
Percona PostgreSQL 内核,提供透明数据加密 (pg_tde) 能力
pgtde 配置模板使用 Percona PostgreSQL 数据库内核,提供透明数据加密 (Transparent Data Encryption, TDE) 能力。
配置概览
- 配置名称:
pgtde - 节点数量: 单节点
- 配置说明:Percona PostgreSQL 透明数据加密配置
- 适用系统:
el8,el9,el10,d12,d13,u22,u24 - 适用架构:
x86_64 - 相关配置:
meta
启用方式:
./configure -c pgtde [-i <primary_ip>]
配置内容
源文件地址:pigsty/conf/pgtde.yml
---
#==============================================================#
# File : pgtde.yml
# Desc : PG TDE with Percona PostgreSQL 1-node template
# Ctime : 2025-07-04
# Mtime : 2025-12-28
# Docs : https://doc.pgsty.com/config
# License : Apache-2.0 @ https://pigsty.io/docs/about/license/
# Copyright : 2018-2026 Ruohang Feng / Vonng (rh@vonng.com)
#==============================================================#
# This is the config template for Percona PostgreSQL Distribution
# With pg_tde extension, which is compatible with PostgreSQL 18.1
# tutorial: https://doc.pgsty.com/pgsql/kernel/percona
#
# Usage:
# curl https://repo.pigsty.io/get | bash
# ./configure -c pgtde
# ./deploy.yml
all:
children:
infra: { hosts: { 10.10.10.10: { infra_seq: 1 }} ,vars: { repo_enabled: false }}
etcd: { hosts: { 10.10.10.10: { etcd_seq: 1 }} ,vars: { etcd_cluster: etcd }}
#minio: { hosts: { 10.10.10.10: { minio_seq: 1 }} ,vars: { minio_cluster: minio }}
#----------------------------------------------#
# Percona Postgres Database Cluster
#----------------------------------------------#
pg-meta:
hosts:
10.10.10.10: { pg_seq: 1, pg_role: primary }
vars:
pg_cluster: pg-meta
pg_users:
- { name: dbuser_meta ,password: DBUser.Meta ,pgbouncer: true ,roles: [dbrole_admin ] ,comment: pigsty admin user }
- { name: dbuser_view ,password: DBUser.Viewer ,pgbouncer: true ,roles: [dbrole_readonly] ,comment: read-only viewer }
pg_databases:
- name: meta
baseline: cmdb.sql
comment: pigsty tde database
schemas: [pigsty]
extensions: [ vector, postgis, pg_tde ,pgaudit, { name: pg_stat_monitor, schema: monitor } ]
pg_hba_rules:
- { user: dbuser_view , db: all ,addr: infra ,auth: pwd ,title: 'allow grafana dashboard access cmdb from infra nodes' }
node_crontab: [ '00 01 * * * postgres /pg/bin/pg-backup full' ] # make a full backup every 1am
# Percona PostgreSQL TDE Ad Hoc Settings
pg_packages: [ percona-main, pgsql-common ] # install percona postgres packages
pg_libs: 'pg_tde, pgaudit, pg_stat_statements, pg_stat_monitor, auto_explain'
vars:
#----------------------------------------------#
# INFRA : https://doc.pgsty.com/infra/param
#----------------------------------------------#
version: v4.0.0 # pigsty version string
admin_ip: 10.10.10.10 # admin node ip address
region: default # upstream mirror region: default,china,europe
infra_portal: # infra services exposed via portal
home : { domain: i.pigsty } # default domain name
#----------------------------------------------#
# NODE : https://doc.pgsty.com/node/param
#----------------------------------------------#
nodename_overwrite: false # do not overwrite node hostname on single node mode
node_repo_modules: node,infra,pgsql,percona
node_tune: oltp
#----------------------------------------------#
# PGSQL : https://doc.pgsty.com/pgsql/param
#----------------------------------------------#
pg_version: 18 # Default Percona TDE PG Major Version is 18
pg_conf: oltp.yml # pgsql tuning specs: {oltp,olap,tiny,crit}.yml
#----------------------------------------------#
# PASSWORD : https://doc.pgsty.com/config/security
#----------------------------------------------#
grafana_admin_password: pigsty
grafana_view_password: DBUser.Viewer
pg_admin_password: DBUser.DBA
pg_monitor_password: DBUser.Monitor
pg_replication_password: DBUser.Replicator
patroni_password: Patroni.API
haproxy_admin_password: pigsty
minio_secret_key: S3User.MinIO
etcd_root_password: Etcd.Root
...配置解读
pgtde 模板使用 Percona PostgreSQL 内核,提供企业级透明数据加密能力。
关键特性:
- 透明数据加密:数据在磁盘上自动加密,对应用透明
- 密钥管理:支持本地密钥和外部密钥管理系统 (KMS)
- 表级加密:可选择性加密敏感表
- 完整兼容:与原生 PostgreSQL 完全兼容
适用场景:
- 需要满足数据安全合规要求(如 PCI-DSS、HIPAA)
- 存储敏感数据(如个人信息、金融数据)
- 需要静态数据加密的场景
- 对数据安全有严格要求的企业环境
使用方法:
-- 创建加密表
CREATE TABLE sensitive_data (
id SERIAL PRIMARY KEY,
ssn VARCHAR(11)
) USING pg_tde;
-- 或对现有表启用加密
ALTER TABLE existing_table SET ACCESS METHOD pg_tde;
注意事项:
- Percona PostgreSQL 基于 PostgreSQL 18
- 加密会带来一定性能开销(通常 5-15%)
- 需要妥善管理加密密钥
- 不支持 ARM64 架构