What's encrypted with TDE?

TDE encrypts:

  • The files underlying tables, sequences, indexes, including TOAST tables and system catalogs, and including all forks. These files are known as data files.

  • The write-ahead log (WAL).

  • Various temporary files that are used during query processing and database system operation.

Implications
  • Any WAL fetched from a server using TDE, including by streaming replication and archiving, is encrypted.

  • A physical replica is necessarily encrypted (or not encrypted) in the same way and using the same keys as its primary server.

  • If a server uses TDE, a base backup is automatically encrypted.

The following aren't encrypted or otherwise disguised by TDE:

  • Metadata internal to operating the database system that doesn't contain user data, such as the transaction status (for example, pg_subtrans and pg_xact).

  • The file names and file system structure in the data directory. That means that the overall size of the database system, the number of databases, the number of tables, their relative sizes, as well as file system metadata such as last access time are all visible without decryption.

  • Data in foreign tables.

  • The server diagnostics log.

  • Configuration files.

Implications

Logical replication isn't affected by TDE. Publisher and subscriber can have different encryption settings. The payload of the logical replication protocol isn't encrypted. (You can use SSL.)