Upgrading PostgreSQL to EDB Postgres Extended Server while enabling TDE

Create a new EDB Postgres Extended Server cluster with TDE enabled and use pg_upgrade to transfer data from the existing PostgreSQL cluster to the new encrypted cluster.

  • Prepare your upgrade by performing a backup of the existing instance.
  • Create a new database server.
    • Create an empty directory for the new server and ensure the postgres user owns it.
    • Set the environment variables to export the wrap and unwrap commands for encryption.
    • Initialize a server with encryption enabled.
    • Change the default port so the new server is available at another port.
    • Start the database server.
    • Connect to the database server and ensure it's functioning.
  • Upgrade to the encrypted server.
    • Stop both the source and the new server.
    • Use pg_upgrade with the --copy-by-block option to copy data from the source server to the new server. Specify the source and target bin and data directories.
    • Start the new encrypted database server.
    • Connect to the encrypted database server and ensure the data was transferred.
  • Clean up and delete the source server.
    • Clean up the database and its statistics.
    • Remove the source PostgreSQL cluster with the script provided by pg_upgrade.

Worked example

This example upgrades a PostgreSQL 16 instance to EDB Postgres Extended Server 16 while enabling Transparent Data Encryption on an Ubuntu 22.04 machine. The location of the bin and config directories differs depending on your operating system and Postgres versions.

Preparing your upgrade

  • Install EDB Postgres Extended Server from the EDB repository. Ensure the version you install has the same major version as the source server. pg_upgrade supports upgrades between minor and patch versions but not between different major versions.

  • Use pg_dumpall, pgBackRest, or Barman to create a backup of your unencrypted source server.

Creating an encrypted server

  1. Create an empty directory for the new server. In this example, the directory name is TDE.

    mkdir /var/lib/edb-pge/16/TDE
  2. Ensure the postgres user owns the directory:

    sudo chown postgres /var/lib/edb-pge/16/TDE
    sudo chgrp /var/lib/edb-pge/16/TDE
  3. Set environment variables to export the wrap and unwrap commands:

    export PGDATAKEYWRAPCMD='openssl enc -e -aes-128-cbc -pass pass:ok -out %p'
    export PGDATAKEYUNWRAPCMD='openssl enc -d -aes-128-cbc -pass pass:ok -in %p'
    Note

    Alternatively, use the --key-unwrap-command=<command> and --key-wrap-command=<command> arguments when initializing the encrypted server to include the wrap and unwrap commands.

    See Using initdb TDE options for more information on possible configurations.

  4. Initialize the new server with encryption:

    /usr/lib/edb-pge/16/bin/initdb --data-encryption -D /var/lib/edb-pge/16/TDE

    This command initializes a config directory with all configuration files for the encrypted server.

  5. Modify the default port number in the configuration file of the encrypted instance. Uncomment the line with #port and change the port number. For example:

    port                    5590
  6. Start the encrypted server:

    /usr/lib/edb-pge/16/bin/pg_ctl -D /var/lib/edb-pge/16/TDE start
  7. Connect to the server:

    /usr/lib/edb-pge/16/bin/psql -p 5590
    Note

    If you're using two different Postgres versions, use the psql utility of the encrypted server. Otherwise, the system attempts to use psql from the previous instance.

  8. To ensure the new server is encrypted, check for TDE presence.

Upgrading to the encrypted server

  1. Stop both servers:

    /usr/lib/postgresql/16/bin/pg_ctl -D /var/lib/postgresql/16/non-TDE stop
    /usr/lib/edb-pge/16/bin/pg_ctl -D /var/lib/edb-pge/16/TDE stop
  2. To test for incompatibilities, run the pg_upgrade command in check mode.

    With -b and -B, specify the source and target BIN directories. With -d and -D, specify the source and target config directories. Include the --copy-by-block option.

    /usr/lib/edb-pge/16/bin/pg_upgrade -b /usr/lib/postgresql/16/bin -B /usr/lib/edb-pge/16/bin -d /var/lib/postgresql/16/non-TDE -D /var/lib/edb-pge/16/TDE --copy-by-block --check
    Note

    The --check mode performs preliminary checks without executing the command.

  3. To copy data from the source server to the target server, run the pg_upgrade command in normal mode:

    /usr/lib/edb-pge/16/bin/pg_upgrade -b /usr/lib/postgresql/16/bin -B /usr/lib/edb-pge/16/bin -d /var/lib/postgresql/16/non-TDE -D /var/lib/edb-pge/16/TDE --copy-by-block
  4. Restart the encrypted server:

    /usr/lib/edb-pge/16/bin/pg_ctl -D /var/lib/edb-pge/16/TDE start
  5. Connect to the encrypted database server:

    /usr/lib/edb-pge/16/bin/psql -p 5590
  6. Perform a spot check to ensure the databases, tables, schemas, and resources you had in the unencrypted server are available in the new server. For example, list all databases:

    \l

    Connect to a database, for example hr, and search for existing tables:

    \c hr 
    SELECT * FROM dept;

Cleaning up after upgrade

After you verify that pg_upgrade encrypted the data successfully, perform a cleanup.

  1. As the postgres user, clean up the database and its statistics:

    /usr/lib/edb-pge/16/bin/vacuumdb --all --analyze-in-stages
  2. Remove all data files of the unencrypted server with the script generated by pg_upgrade:

    ./delete_old_cluster.sh