Skip to content

Add support for AES 256 encryption #465

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Add support for AES 256 encryption #465

wants to merge 5 commits into from
+648 −105

Conversation

@dAdAbird
Copy link
Member

@dAdAbird dAdAbird commented Nov 12, 2025

A new GUC option is applied to all newly created keys - both principal and internal.
We had to change the _keys file format to accommodate 32-byte internal keys. So the keys file migration routine was added at server start.

@dAdAbird
Add support for AES 256
2f863f3 
Adds a respective GUC and enables TDE AES lib to handle 128 and 256-bit keys.
Also adds the support for 256 bit encryption of primary keys
@dAdAbird
Add support for AES 256 to WAL
604b1e0
@dAdAbird
Add AES 256 support to SMGR
e15ae29
@dAdAbird
Migrate _keys file to the new format
0de37e7 
It adds `pg_tde/keys_version`, which contains the latest magic number
(version) of the wal and smgr keys. If those versions don't match the
current ones at the server start, it will rewrite _keys to the new
format if needed and update keys_version.
If the start crashed along the way updating _keys, it will retry again
on the next start since keys_version wasn't updated.
@dAdAbird
PG-1968 Make fetools compile
226259f 
This is a temporary fix. Tools will be addressed properly in the following PR
@codecov-commenter
Copy link

codecov-commenter commented Nov 12, 2025

Codecov Report

❌ Patch coverage is 37.11790% with 144 lines in your changes missing coverage. Please review.
✅ Project coverage is 59.08%. Comparing base (44684d3) to head (226259f).
⚠️ Report is 1 commits behind head on main.

❌ Your project status has failed because the head coverage (59.08%) is below the target coverage (90.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #465      +/-   ##
==========================================
- Coverage   59.69%   59.08%   -0.62%     
==========================================
  Files          67       67              
  Lines       10471    10641     +170     
  Branches     1813     1838      +25     
==========================================
+ Hits         6251     6287      +36     
- Misses       3524     3653     +129     
- Partials      696      701       +5
Components Coverage Δ
access 73.06% <22.22%> (-11.83%) ⬇️
catalog 87.93% <100.00%> (ø)
common 77.77% <ø> (ø)
encryption 72.64% <80.95%> (+1.07%) ⬆️
keyring 73.54% <100.00%> (ø)
src 90.90% <61.11%> (-3.30%) ⬇️
smgr 94.06% <100.00%> (ø)
transam ∅ <ø> (∅)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dAdAbird @codecov-commenter