{"id":42820,"date":"2026-02-13T10:37:42","date_gmt":"2026-02-13T09:37:42","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/?p=42820"},"modified":"2026-02-13T10:37:47","modified_gmt":"2026-02-13T09:37:47","slug":"commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/","title":{"rendered":"Commercial PostgreSQL distributions with TDE (2) EDB Postgres Extended Server (2) TDE"},"content":{"rendered":"\n

In the last post<\/a> we’ve looked at how you you get EDB Postgres Extended server installed on your system. In contrast to the version provided by Fujitsu, TDE needs to be enabled when you initialize a new cluster, so lets do this and see how we can proceed from there on.<\/p>\n\n\n\n

When we’ve initialized a new cluster in the last post, we got this output from initdb:<\/p>\n\n\n

\nData page checksums are enabled.\nTransparent data encryption is disabled.\n<\/pre><\/div>\n\n\n
Somehow we need to enable this and the EDB’s version of initdb comes with this options when dealing with TDE:<\/p>\n\n\n
\n[postgres@postgres-tde ~]$ \/usr\/edb\/pge18\/bin\/initdb --help | egrep -A 2 "encryption|key"\n  -y, --data-encryption[=KEYLEN]\n                            enable transparent data encryption\n      --copy-key-from=FILE  copy key from given location (useful for upgrades)\n      --key-wrap-command=CMD\n                            shell command to wrap (encrypt) data encryption key\n      --key-unwrap-command=CMD\n                            shell command to unwrap (decrypt) data encryption key\n      --no-key-wrap         do not wrap the generated data encryption key (insecure!)\n<\/pre><\/div>\n\n\n
“-y, –data-encryption” is apparently about enabling encryption in general and then there are a couple of options around a key. This key is very much like how Fujitsu is doing it with the keystore<\/a>. For production deployments you should retrieve the key from an external keystore and you need to provide the “–key-wrap-command” and “–key-unwrap-command” switches for this. There is also the “–no-key-wrap” but this leaves your key unprotected and should not be used at all. For the scope of this post we’ll protect the key with a passphrase<\/a>:<\/p>\n\n\n
\n# cleanup from previous post\n[postgres@postgres-tde ~]$ rm -rf \/u02\/pgdata\/pge18\/\n# initialize a new cluster with TDE enabled\n[postgres@postgres-tde ~]$ sudo PGSETUP_INITDB_OPTIONS="--encoding UTF-8 --pgdata=\/u02\/pgdata\/pge18 -y --key-wrap-command='openssl enc -e -aes-128-cbc -pbkdf2 -out \\"%p\\"' --key-unwrap-command='openssl enc -d -aes-128-cbc -pbkdf2 -in \\"%p\\"'" \/usr\/edb\/pge18\/bin\/edb-pge-18-setup initdb\nInitializing database ... \n<\/pre><\/div>\n\n\n
This does not give much output and actually nothing was done. Lets use initdb directly without using the “db-pge-18-setup” wrapper:<\/p>\n\n\n
\n[postgres@postgres-tde ~]$ \/usr\/edb\/pge18\/bin\/initdb --encoding UTF-8 --pgdata=\/u02\/pgdata\/pge18 -y --key-wrap-command='openssl enc -e -aes-128-cbc -pbkdf2 -out "%p"' --key-unwrap-command='openssl enc -d -aes-128-cbc -pbkdf2 -in "%p"'\nThe files belonging to this database system will be owned by user "postgres".\nThis user must also own the server process.\n\nThe database cluster will be initialized with locale "en_US.UTF-8".\nThe default text search configuration will be set to "english".\n\nData page checksums are enabled.\nTransparent data encryption is enabled (128 bits).\n\ncreating directory \/u02\/pgdata\/pge18 ... ok\ncreating subdirectories ... ok\nselecting dynamic shared memory implementation ... posix\nselecting default "max_connections" ... 100\nselecting default "shared_buffers" ... 128MB\nselecting default time zone ... Europe\/Berlin\ncreating configuration files ... ok\nsetting up data encryption ... enter AES-128-CBC encryption password:\nVerifying - enter AES-128-CBC encryption password:\nok\nrunning bootstrap script ... enter AES-128-CBC decryption password:\nok\nperforming post-bootstrap initialization ... enter AES-128-CBC decryption password:\nok\nsyncing data to disk ... ok\n\ninitdb: warning: enabling "trust" authentication for local connections\ninitdb: hint: You can change this by editing pg_hba.conf or using the option -A, or --auth-local and --auth-host, the next time you run initdb.\n\nSuccess. You can now start the database server using:\n\n    \/usr\/edb\/pge18\/bin\/pg_ctl -D \/u02\/pgdata\/pge18 -l logfile start\n<\/pre><\/div>\n\n\n
This will ask for the encryption password to be used and generates\/populates PGDATA:<\/p>\n\n\n
\n[postgres@postgres-tde ~]$ ls -la \/u02\/pgdata\/pge18\/\ntotal 60\ndrwx------. 20 postgres postgres  4096 Feb  9 07:52 .\ndrwxr-xr-x.  3 postgres postgres    19 Feb  9 07:52 ..\ndrwx------.  5 postgres postgres    33 Feb  9 07:52 base\ndrwx------.  2 postgres postgres  4096 Feb  9 07:52 global\ndrwx------.  2 postgres postgres     6 Feb  9 07:52 pg_commit_ts\ndrwx------.  2 postgres postgres     6 Feb  9 07:52 pg_dynshmem\ndrwx------.  2 postgres postgres    21 Feb  9 07:52 pg_encryption\n-rw-------.  1 postgres postgres  5721 Feb  9 07:52 pg_hba.conf\n-rw-------.  1 postgres postgres  2681 Feb  9 07:52 pg_ident.conf\ndrwx------.  4 postgres postgres    68 Feb  9 07:52 pg_logical\ndrwx------.  4 postgres postgres    36 Feb  9 07:52 pg_multixact\ndrwx------.  2 postgres postgres     6 Feb  9 07:52 pg_notify\ndrwx------.  2 postgres postgres     6 Feb  9 07:52 pg_replslot\ndrwx------.  2 postgres postgres     6 Feb  9 07:52 pg_serial\ndrwx------.  2 postgres postgres     6 Feb  9 07:52 pg_snapshots\ndrwx------.  2 postgres postgres    25 Feb  9 07:52 pg_stat\ndrwx------.  2 postgres postgres     6 Feb  9 07:52 pg_stat_tmp\ndrwx------.  2 postgres postgres    18 Feb  9 07:52 pg_subtrans\ndrwx------.  2 postgres postgres     6 Feb  9 07:52 pg_tblspc\ndrwx------.  2 postgres postgres     6 Feb  9 07:52 pg_twophase\n-rw-------.  1 postgres postgres     3 Feb  9 07:52 PG_VERSION\ndrwx------.  4 postgres postgres    77 Feb  9 07:52 pg_wal\ndrwx------.  2 postgres postgres    18 Feb  9 07:52 pg_xact\n-rw-------.  1 postgres postgres    88 Feb  9 07:52 postgresql.auto.conf\n-rw-------.  1 postgres postgres 32732 Feb  9 07:52 postgresql.conf\n<\/pre><\/div>\n\n\n
What this did in addition is to add the unwrap command to postgresql.conf:<\/p>\n\n\n
\n[postgres@postgres-tde ~]$ grep wrap "\/u02\/pgdata\/pge18\/postgresql.conf"\ndata_encryption_key_unwrap_command = 'openssl enc -d -aes-128-cbc -pbkdf2 -in "%p"'\n<\/pre><\/div>\n\n\n
Time to start up. When we did the installation in the last post the rpm created a systemd service definition:<\/p>\n\n\n
\n[postgres@postgres-tde ~]$ systemctl list-unit-files | grep edb\nedb-pge-18.service                               disabled        disabled\n<\/pre><\/div>\n\n\n
Of course this service points to the wrong PGDATA so we need to adjust this:<\/p>\n\n\n
\n[postgres@postgres-tde ~]$ grep PGDATA\\= \/usr\/lib\/systemd\/system\/edb-pge-18.service \nEnvironment=PGDATA=\/var\/lib\/edb-pge\/18\/data\/\n[postgres@postgres-tde ~]$ sudo systemctl edit edb-pge-18.service\n### Editing \/etc\/systemd\/system\/edb-pge-18.service.d\/override.conf\n### Anything between here and the comment below will become the new contents of the file\n[service]\nEnvironment=PGDATA=\/u02\/pgdata\/pge18\/\n...\n<\/pre><\/div>\n\n\n
Trying to start PostgreSQL afterwards fails, because the decryption password cannot be retrieved:<\/p>\n\n\n
\n[postgres@postgres-tde ~]$ sudo systemctl start edb-pge-18.service \nJob for edb-pge-18.service failed because the control process exited with error code.\nSee "systemctl status edb-pge-18.service" and "journalctl -xeu edb-pge-18.service" for details.\n[postgres@postgres-tde ~]$ sudo journalctl -u edb-pge-18.service\nFeb 09 08:05:45 postgres-tde systemd[1]: Starting Postgres Extended 18 database server...\nFeb 09 08:05:45 postgres-tde postgres[5303]: enter AES-128-CBC decryption password:\nFeb 09 08:05:45 postgres-tde postgres[5303]: bad password read\nFeb 09 08:05:45 postgres-tde postgres[5303]: 4027EF83CA7F0000:error:1400006B:UI routines:UI_process:processing error:crypto\/ui\/ui_lib.c:552:while reading strings\nFeb 09 08:05:45 postgres-tde postgres[5302]: 2026-02-09 08:05:45.875 CET [5302] FATAL:  could not run command "openssl enc -d -aes-128-cbc -pbkdf2 -in "pg_encryption\/key.bin"": child process exited with exit code 1\nFeb 09 08:05:45 postgres-tde postgres[5302]: 2026-02-09 08:05:45.875 CET [5302] LOG:  database system is shut down\nFeb 09 08:05:45 postgres-tde systemd[1]: edb-pge-18.service: Main process exited, code=exited, status=1\/FAILURE\nFeb 09 08:05:45 postgres-tde systemd[1]: edb-pge-18.service: Failed with result 'exit-code'.\nFeb 09 08:05:45 postgres-tde systemd[1]: Failed to start Postgres Extended 18 database server.\n<\/pre><\/div>\n\n\n
There are two options to resolve this: Either provide the password by passing the reference to a file containing it (not recommended, of course) or you need to use systemd-ask-password<\/a> and tweak the systemd service definition once more. We’ll be going the easy (and not recommended) way and will provide the password using a file and re-initialize the cluster:<\/p>\n\n\n
\n[postgres@postgres-tde ~]$ echo "admin123" > \/home\/postgres\/pass.bin\n[postgres@postgres-tde ~]$ \/usr\/edb\/pge18\/bin\/initdb --data-encryption --key-wrap-command='openssl enc -e -aes-128-cbc -pbkdf2 -pass file:\/home\/postgres\/pass.bin -out "%p"' --key-unwrap-command='openssl enc -d -aes-128-cbc -pbkdf2 -pass file:\/home\/postgres\/pass.bin -in "%p"' --pgdata=\/u02\/pgdata\/pge18\/\nThe files belonging to this database system will be owned by user "postgres".\nThis user must also own the server process.\n\nThe database cluster will be initialized with locale "en_US.UTF-8".\nThe default database encoding has accordingly been set to "UTF8".\nThe default text search configuration will be set to "english".\n\nData page checksums are enabled.\nTransparent data encryption is enabled (128 bits).\n\nfixing permissions on existing directory \/u02\/pgdata\/pge18 ... ok\ncreating subdirectories ... ok\nselecting dynamic shared memory implementation ... posix\nselecting default "max_connections" ... 100\nselecting default "shared_buffers" ... 128MB\nselecting default time zone ... Europe\/Berlin\ncreating configuration files ... ok\nsetting up data encryption ... ok\nrunning bootstrap script ... ok\nperforming post-bootstrap initialization ... ok\nsyncing data to disk ... ok\n\ninitdb: warning: enabling "trust" authentication for local connections\ninitdb: hint: You can change this by editing pg_hba.conf or using the option -A, or --auth-local and --auth-host, the next time you run initdb.\n\nSuccess. You can now start the database server using:\n\n    \/usr\/edb\/pge18\/bin\/pg_ctl -D \/u02\/pgdata\/pge18\/ -l logfile start\n\n[postgres@postgres-tde ~]$ grep -i wrap \/u02\/pgdata\/pge18\/*.conf\n\/u02\/pgdata\/pge18\/postgresql.conf:data_encryption_key_unwrap_command = 'openssl enc -d -aes-128-cbc -pbkdf2 -pass file:\/home\/postgres\/pass.bin -in "%p"'\n<\/pre><\/div>\n\n\n
Time to start the instance:<\/p>\n\n\n
\n[postgres@postgres-tde ~]$ sudo systemctl start edb-pge-18.service\n[postgres@postgres-tde ~]$ sudo systemctl status edb-pge-18.service\n\u25cf edb-pge-18.service - Postgres Extended 18 database server\n     Loaded: loaded (\/usr\/lib\/systemd\/system\/edb-pge-18.service; enabled; preset: disabled)\n    Drop-In: \/etc\/systemd\/system\/edb-pge-18.service.d\n             \u2514\u2500override.conf\n     Active: active (running) since Fri 2026-02-13 08:25:39 CET; 4s ago\n       Docs: https:\/\/www.postgresql.org\/docs\/18\/static\/\n    Process: 1691 ExecStartPre=\/usr\/edb\/pge18\/bin\/edb-pge-18-check-db-dir ${PGDATA} (code=exited, status=0\/SUCCESS)\n   Main PID: 1696 (postgres)\n      Tasks: 9 (limit: 7834)\n     Memory: 21.7M (peak: 22.0M)\n        CPU: 42ms\n     CGroup: \/system.slice\/edb-pge-18.service\n             \u251c\u25001696 \/usr\/edb\/pge18\/bin\/postgres -D \/u02\/pgdata\/pge18\/\n             \u251c\u25001698 "postgres: io worker 0"\n             \u251c\u25001699 "postgres: io worker 2"\n             \u251c\u25001700 "postgres: io worker 1"\n             \u251c\u25001701 "postgres: checkpointer "\n             \u251c\u25001702 "postgres: background writer "\n             \u251c\u25001704 "postgres: walwriter "\n             \u251c\u25001705 "postgres: autovacuum launcher "\n             \u2514\u25001706 "postgres: logical replication launcher "\n\nFeb 13 08:25:39 postgres-tde systemd[1]: Starting Postgres Extended 18 database server...\nFeb 13 08:25:39 postgres-tde postgres[1696]: 2026-02-13 08:25:39.774 CET [1696] LOG:  starting PostgreSQL 18.1 (EDB Postgres Extended Server 18.1.0) on x86_64-pc-linux-gnu, compiled by gcc (GCC) 11.5.0 20240719 (Red Hat 11.5.0-5), 64-b>\nFeb 13 08:25:39 postgres-tde postgres[1696]: 2026-02-13 08:25:39.775 CET [1696] LOG:  listening on IPv6 address "::1", port 5432\nFeb 13 08:25:39 postgres-tde postgres[1696]: 2026-02-13 08:25:39.775 CET [1696] LOG:  listening on IPv4 address "127.0.0.1", port 5432\nFeb 13 08:25:39 postgres-tde postgres[1696]: 2026-02-13 08:25:39.778 CET [1696] LOG:  listening on Unix socket "\/var\/run\/edb-pge\/.s.PGSQL.5432"\nFeb 13 08:25:39 postgres-tde postgres[1696]: 2026-02-13 08:25:39.781 CET [1696] LOG:  listening on Unix socket "\/tmp\/.s.PGSQL.5432"\nFeb 13 08:25:39 postgres-tde postgres[1703]: 2026-02-13 08:25:39.785 CET [1703] LOG:  database system was shut down at 2026-02-13 08:24:53 CET\nFeb 13 08:25:39 postgres-tde postgres[1696]: 2026-02-13 08:25:39.789 CET [1696] LOG:  database system is ready to accept connections\nFeb 13 08:25:39 postgres-tde systemd[1]: Started Postgres Extended 18 database server.\n<\/pre><\/div>\n\n\n
As with Fujitsu, be aware that dumping data with pg_dump (or pg_dumpall) will result in unencrypted data:<\/p>\n\n\n
\n[postgres@postgres-tde ~]$ psql\npsql (18.1 (EDB Postgres Extended Server 18.1.0))\nType "help" for help.\n\npostgres=# create table t ( a int, b text );\nCREATE TABLE\npostgres=# insert into t select i, i::text from generate_series(1,100) i;\nINSERT 0 100\npostgres=# \\q\n[postgres@postgres-tde ~]$ pg_dump > a.sql\n[postgres@postgres-tde ~]$ cat a.sql \n--\n-- PostgreSQL database dump\n--\n...\nCOPY public.t (a, b) FROM stdin;\n1       1\n2       2\n3       3\n4       4\n...\n<\/pre><\/div>\n\n\n
The tools which require the unwrap command are documented here<\/a> (initdb, pg_rewind, …).<\/p>\n\n\n\n
To check if a cluster has TDE enabled (or was initialized with TDE) you can use the pg_control_init function, which also was modified for TDE purposes:<\/p>\n\n\n
\npostgres=# select data_encryption_version, data_encryption_keylen  from pg_control_init();\n data_encryption_version | data_encryption_keylen \n-------------------------+------------------------\n                       1 |                    128\n(1 row)\n<\/pre><\/div>\n\n\n
Some final thoughts:<\/p>\n\n\n\n
    \n
  • In contracts to Fujitsu’s implementation the EDB implementation is not based on tablespaces but the complete cluster.<\/li>\n\n\n\n
  • You need to provide the key when the instance is started, otherwise startup will fail. This is not the case with Fujitsu.<\/li>\n\n\n\n
  • Because encryption is applied instance wide several commands (e.g. pg_rewind) need to be aware of the unwrap command.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
    In the last post we’ve looked at how you you get EDB Postgres Extended server installed on your system. In contrast to the version provided by Fujitsu, TDE needs to be enabled when you initialize a new cluster, so lets do this and see how we can proceed from there on. When we’ve initialized a […]<\/p>\n","protected":false},"author":29,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[229,198],"tags":[77],"type_dbi":[],"class_list":["post-42820","post","type-post","status-publish","format-standard","hentry","category-database-administration-monitoring","category-database-management","tag-postgresql"],"acf":[],"yoast_head":"\nCommercial PostgreSQL distributions with TDE (2) EDB Postgres Extended Server (2) TDE - dbi Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Commercial PostgreSQL distributions with TDE (2) EDB Postgres Extended Server (2) TDE\" \/>\n<meta property=\"og:description\" content=\"In the last post we’ve looked at how you you get EDB Postgres Extended server installed on your system. In contrast to the version provided by Fujitsu, TDE needs to be enabled when you initialize a new cluster, so lets do this and see how we can proceed from there on. When we’ve initialized a […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-13T09:37:42+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-13T09:37:47+00:00\" \/>\n<meta name=\"author\" content=\"Daniel Westermann\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@westermanndanie\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Daniel Westermann\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/\"},\"author\":{\"name\":\"Daniel Westermann\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d08e9bd996a89bd75c0286cbabf3c66\"},\"headline\":\"Commercial PostgreSQL distributions with TDE (2) EDB Postgres Extended Server (2) TDE\",\"datePublished\":\"2026-02-13T09:37:42+00:00\",\"dateModified\":\"2026-02-13T09:37:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/\"},\"wordCount\":475,\"commentCount\":0,\"keywords\":[\"PostgreSQL\"],\"articleSection\":[\"Database Administration & Monitoring\",\"Database management\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/\",\"name\":\"Commercial PostgreSQL distributions with TDE (2) EDB Postgres Extended Server (2) TDE - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"datePublished\":\"2026-02-13T09:37:42+00:00\",\"dateModified\":\"2026-02-13T09:37:47+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d08e9bd996a89bd75c0286cbabf3c66\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Commercial PostgreSQL distributions with TDE (2) EDB Postgres Extended Server (2) TDE\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d08e9bd996a89bd75c0286cbabf3c66\",\"name\":\"Daniel Westermann\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/31350ceeecb1dd8986339a29bf040d4cd3cd087d410deccd8f55234466d6c317?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/31350ceeecb1dd8986339a29bf040d4cd3cd087d410deccd8f55234466d6c317?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/31350ceeecb1dd8986339a29bf040d4cd3cd087d410deccd8f55234466d6c317?s=96&d=mm&r=g\",\"caption\":\"Daniel Westermann\"},\"description\":\"Daniel Westermann is Principal Consultant and Technology Leader Open Infrastructure at dbi services. He has more than 15 years of experience in management, engineering and optimization of databases and infrastructures, especially on Oracle and PostgreSQL. Since the beginning of his career, he has specialized in Oracle Technologies and is Oracle Certified Professional 12c and Oracle Certified Expert RAC\/GridInfra. Over time, Daniel has become increasingly interested in open source technologies, becoming \u201cTechnology Leader Open Infrastructure\u201d and PostgreSQL expert. \u00a0Based on community or EnterpriseDB tools, he develops and installs complex high available solutions with PostgreSQL. He is also a certified PostgreSQL Plus 9.0 Professional and a Postgres Advanced Server 9.4 Professional. He is a regular speaker at PostgreSQL conferences in Switzerland and Europe. Today Daniel is also supporting our customers on AWS services such as AWS RDS, database migrations into the cloud, EC2 and automated infrastructure management with AWS SSM (System Manager). He is a certified AWS Solutions Architect Professional. Prior to dbi services, Daniel was Management System Engineer at LC SYSTEMS-Engineering AG in Basel. Before that, he worked as Oracle Developper &\u00a0Project Manager at Delta Energy Solutions AG in Basel (today Powel AG). Daniel holds a diploma in Business Informatics (DHBW, Germany). His branch-related experience mainly covers the pharma industry, the financial sector, energy, lottery and telecommunications.\",\"sameAs\":[\"https:\/\/x.com\/westermanndanie\"],\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/daniel-westermann\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Commercial PostgreSQL distributions with TDE (2) EDB Postgres Extended Server (2) TDE - dbi Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/","og_locale":"en_US","og_type":"article","og_title":"Commercial PostgreSQL distributions with TDE (2) EDB Postgres Extended Server (2) TDE","og_description":"In the last post we’ve looked at how you you get EDB Postgres Extended server installed on your system. In contrast to the version provided by Fujitsu, TDE needs to be enabled when you initialize a new cluster, so lets do this and see how we can proceed from there on. When we’ve initialized a […]","og_url":"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/","og_site_name":"dbi Blog","article_published_time":"2026-02-13T09:37:42+00:00","article_modified_time":"2026-02-13T09:37:47+00:00","author":"Daniel Westermann","twitter_card":"summary_large_image","twitter_creator":"@westermanndanie","twitter_misc":{"Written by":"Daniel Westermann","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/"},"author":{"name":"Daniel Westermann","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d08e9bd996a89bd75c0286cbabf3c66"},"headline":"Commercial PostgreSQL distributions with TDE (2) EDB Postgres Extended Server (2) TDE","datePublished":"2026-02-13T09:37:42+00:00","dateModified":"2026-02-13T09:37:47+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/"},"wordCount":475,"commentCount":0,"keywords":["PostgreSQL"],"articleSection":["Database Administration & Monitoring","Database management"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/","url":"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/","name":"Commercial PostgreSQL distributions with TDE (2) EDB Postgres Extended Server (2) TDE - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"datePublished":"2026-02-13T09:37:42+00:00","dateModified":"2026-02-13T09:37:47+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d08e9bd996a89bd75c0286cbabf3c66"},"breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/commercial-postgresql-distributions-with-tde-2-edb-postgres-extended-server-2-tde\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Commercial PostgreSQL distributions with TDE (2) EDB Postgres Extended Server (2) TDE"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d08e9bd996a89bd75c0286cbabf3c66","name":"Daniel Westermann","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/31350ceeecb1dd8986339a29bf040d4cd3cd087d410deccd8f55234466d6c317?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/31350ceeecb1dd8986339a29bf040d4cd3cd087d410deccd8f55234466d6c317?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/31350ceeecb1dd8986339a29bf040d4cd3cd087d410deccd8f55234466d6c317?s=96&d=mm&r=g","caption":"Daniel Westermann"},"description":"Daniel Westermann is Principal Consultant and Technology Leader Open Infrastructure at dbi services. He has more than 15 years of experience in management, engineering and optimization of databases and infrastructures, especially on Oracle and PostgreSQL. Since the beginning of his career, he has specialized in Oracle Technologies and is Oracle Certified Professional 12c and Oracle Certified Expert RAC\/GridInfra. Over time, Daniel has become increasingly interested in open source technologies, becoming \u201cTechnology Leader Open Infrastructure\u201d and PostgreSQL expert. \u00a0Based on community or EnterpriseDB tools, he develops and installs complex high available solutions with PostgreSQL. He is also a certified PostgreSQL Plus 9.0 Professional and a Postgres Advanced Server 9.4 Professional. He is a regular speaker at PostgreSQL conferences in Switzerland and Europe. Today Daniel is also supporting our customers on AWS services such as AWS RDS, database migrations into the cloud, EC2 and automated infrastructure management with AWS SSM (System Manager). He is a certified AWS Solutions Architect Professional. Prior to dbi services, Daniel was Management System Engineer at LC SYSTEMS-Engineering AG in Basel. Before that, he worked as Oracle Developper &\u00a0Project Manager at Delta Energy Solutions AG in Basel (today Powel AG). Daniel holds a diploma in Business Informatics (DHBW, Germany). His branch-related experience mainly covers the pharma industry, the financial sector, energy, lottery and telecommunications.","sameAs":["https:\/\/x.com\/westermanndanie"],"url":"https:\/\/www.dbi-services.com\/blog\/author\/daniel-westermann\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/42820","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=42820"}],"version-history":[{"count":11,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/42820\/revisions"}],"predecessor-version":[{"id":42889,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/42820\/revisions\/42889"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=42820"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=42820"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=42820"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=42820"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}