TDE pg_upgrade use cases
EDB supports using pg_upgrade with additional EDB upgrade arguments to add encryption to unencrypted systems. This table provides an overview of supported use cases.
| Use case | Source unencrypted server | Target encrypted server |
|---|---|---|
| Perform a minor upgrade and add encryption | Unencrypted EDB Postgres Extended Server 16.1 | Encrypted EDB Postgres Extended Server 16.2 |
| Change the Postgres distribution and add encryption | Unencrypted PostgreSQL 16 | Encrypted EDB Postgres Advanced Server 16 |
| Maintain the Postgres distribution and add encryption | Unencrypted EDB Postgres Advanced Server 15 | Encrypted EDB Postgres Advanced Server 15 |
| Maintain the Postgres distribution and rotate encryption keys | Encrypted EDB Postgres Advanced Server 15 | Encrypted EDB Postgres Advanced Server 15 with new encryption keys |
Important
Both source and target servers must be in the same Postgres major version. pg_upgrade only supports upgrades between minor versions.
Overview
To enable encryption:
- Perform a backup of your system.
- Install the target Postgres version.
- Initialize a new server with TDE enabled.
- Use
pg_upgradewith the--copy-by-blockoption to upgrade to a TDE system.