percona · Andriciuc · Jul 22, 2025
@@ -22,15 +22,15 @@ The following sections break down the key architectural components of this desig
 * Temporary tables
 * Write Ahead Log (WAL), still in beta. **Do not enable this feature in production environments**.
 
-**Extension** means that `pg_tde` should be implemented only as an extension, possibly compatible with any PostgreSQL distribution, including the open source community version. This requires changes in the PostgreSQL core to make it more extensible. Therefore, `pg_tde` currently works only with the [Percona Server for PostgreSQL](https://docs.percona.com/postgresql/17/index.html) - a binary replacement of community PostgreSQL and included in Percona Distribution for PostgreSQL.
+**Extension** means that `pg_tde` should be implemented only as an extension, possibly compatible with any PostgreSQL distribution, including the open source community version. This requires changes in the PostgreSQL core to make it more extensible. Therefore, `pg_tde` currently works only with the [Percona Server for PostgreSQL :octicons-link-external-16:](https://docs.percona.com/postgresql/17/index.html) - a binary replacement of community PostgreSQL and included in Percona Distribution for PostgreSQL.
 
 ## Main components
 
 The main components of `pg_tde` are the following:
 
 * **Core server changes** focus on making the server more extensible, allowing the main logic of `pg_tde` to remain separate, as an extension. Core changes also add encryption-awareness to some command line tools that have to work directly with encrypted tables or encrypted WAL files.
 
-    [Percona Server for PostgreSQL location](https://github.com/percona/postgres/tree/{{tdebranch}})
+    [Percona Server for PostgreSQL location :octicons-link-external-16:](https://github.com/percona/postgres/tree/{{tdebranch}})
 
 * The **`pg_tde` extension itself** implements the encryption code by hooking into the extension points introduced in the core changes, and the already existing extension points in the PostgreSQL server.
 
@@ -50,7 +50,7 @@ In the future these could be extracted into separate shared libraries with an op
 
 `pg_tde` uses one principal key per database. Every internal key for the given database is encrypted using this principal key.
 
-Internal keys are used for specific database files: each file with a different [Object Identifier (OID)](https://www.postgresql.org/docs/current/datatype-oid.html) has a different internal key.
+Internal keys are used for specific database files: each file with a different [Object Identifier (OID) :octicons-link-external-16:](https://www.postgresql.org/docs/current/datatype-oid.html) has a different internal key.
 
 This means that, for example, a table with 4 indexes will have at least 5 internal keys - one for the table, and one for each index.
 
@@ -82,12 +82,9 @@ Later decisions are made using a slightly modified Storage Manager (SMGR) API: w
 
 ### WAL encryption
 
-!!! note
-    The WAL encryption feature is currently in beta and is not effective unless explicitly enabled. It is not yet production ready. **Do not enable this feature in production environments**.
-
 WAL encryption is controlled globally via a global GUC variable, `pg_tde.wal_encrypt`, that requires a server restart.
 
-WAL keys also contain the [LSN](https://www.postgresql.org/docs/17/wal-internals.html) of the first WAL write after key creation. This allows `pg_tde` to know which WAL ranges are encrypted or not and with which key.
+WAL keys also contain the [LSN :octicons-link-external-16:](https://www.postgresql.org/docs/17/wal-internals.html) of the first WAL write after key creation. This allows `pg_tde` to know which WAL ranges are encrypted or not and with which key.
 
 The setting only controls writes so that only WAL writes are encrypted when WAL encryption is enabled. This means that WAL files can contain both encrypted and unencrypted data, depending on what the status of this variable was when writing the data.
 
@@ -147,8 +144,8 @@ Principal keys are stored externally in a Key Management Services (KMS). In `pg_
 
 The following key providers are supported:
 
-* [HashiCorp Vault](https://developer.hashicorp.com/vault/docs/what-is-vault) KV2 secrets engine
-* [OpenBao](https://openbao.org/) implementation of Vault
+* [HashiCorp Vault :octicons-link-external-16:](https://developer.hashicorp.com/vault/docs/what-is-vault) KV2 secrets engine
+* [OpenBao :octicons-link-external-16:](https://openbao.org/) implementation of Vault
 * KMIP compatible servers
 * A local file storage. This storage is intended only for development and testing and is not recommended for production use.
 

@@ -2,9 +2,6 @@
 
 [`pg_waldump` :octicons-link-external-16:](https://www.postgresql.org/docs/current/pgwaldump.html) is a tool to display a human-readable rendering of the Write-Ahead Log (WAL) of a PostgreSQL database cluster.
 
-!!! warning
-    The WAL encryption feature is currently in beta and is not effective unless explicitly enabled. It is not yet production ready. **Do not enable this feature in production environments**.
-
 To read encrypted WAL records, `pg_waldump` supports the following additional arguments:
 
 * `keyring_path` is the directory where the keyring configuration files for WAL are stored. The following files are included:

@@ -94,9 +94,6 @@ The principal key is used to encrypt the internal keys. The principal key is sto
 
 ### WAL encryption
 
-!!! note
-    WAL encryption is currently in beta and is not effective unless explicitly enabled. It is not yet production ready. **Do not enable this feature in production environments**.
-
 WAL encryption is done globally for the entire database cluster. All modifications to any database within a PostgreSQL cluster are written to the same WAL to maintain data consistency and integrity and ensure that PostgreSQL cluster can be restored to a consistent state. Therefore, WAL is encrypted globally.
 
 When you turn on WAL encryption, `pg_tde` encrypts entire WAL files starting from the first WAL write after the server was started with the encryption turned on.
@@ -140,7 +137,7 @@ Since the `SET ACCESS METHOD` command drops hint bits and this may affect the pe
 You must restart the database in the following cases to apply the changes:
 
 * after you enabled the `pg_tde` extension
-* when enabling WAL encryption, which is currently in beta. **Do not enable this feature in production environments**.
+* when enabling WAL encryption
 
 After that, no database restart is required. When you create or alter the table using the `tde_heap` access method, the files are marked as those that require encryption. The encryption happens at the storage manager level, before a transaction is written to disk. Read more about [how tde_heap works](index/table-access-method.md#how-tde_heap-works).
 

@@ -280,8 +280,6 @@ SELECT pg_tde_set_server_key_using_global_key_provider(
 );
 ```
 
-!!! warning
-    The WAL encryption feature is currently in beta and is not effective unless explicitly enabled. It is not yet production ready. **Do not enable this feature in production environments**.
 =======
 The `ensure_new_key` parameter instructs the function how to handle a principal key during key rotation:
 

@@ -32,7 +32,7 @@ Load the `pg_tde` at startup time. The extension requires additional shared memo
        sudo systemctl restart postgresql-17
        ```
 
-3. Create the extension using the [CREATE EXTENSION](https://www.postgresql.org/docs/current/sql-createextension.html) command. You must have the privileges of a superuser or a database owner to use this command. Connect to `psql` as a superuser for a database and run the following command:
+3. Create the extension using the [CREATE EXTENSION :octicons-link-external-16:](https://www.postgresql.org/docs/current/sql-createextension.html) command. You must have the privileges of a superuser or a database owner to use this command. Connect to `psql` as a superuser for a database and run the following command:
 
     ```
     CREATE EXTENSION pg_tde;
@@ -58,7 +58,7 @@ You must do these steps for every database where you have created the extension.
 
         The KMIP server setup is out of scope of this document. 
 
-        Make sure you have obtained the root certificate for the KMIP server and the keypair for the client. The client key needs permissions to create / read keys on the server. Find the [configuration guidelines for the HashiCorp Vault Enterprise KMIP Secrets Engine](https://developer.hashicorp.com/vault/tutorials/enterprise/kmip-engine).
+        Make sure you have obtained the root certificate for the KMIP server and the keypair for the client. The client key needs permissions to create / read keys on the server. Find the [configuration guidelines for the HashiCorp Vault Enterprise KMIP Secrets Engine :octicons-link-external-16:](https://developer.hashicorp.com/vault/tutorials/enterprise/kmip-engine).
 
         For testing purposes, you can use the PyKMIP server which enables you to set up required certificates. To use a real KMIP server, make sure to obtain the valid certificates issued by the key management appliance.
 

@@ -2,10 +2,7 @@
 
 * Keys in the local keyfile are stored **unencrypted**. For better security we recommend using the [Key management storage](../global-key-provider-configuration/index.md).
 * System tables, which include statistics data and database statistics, are currently **not encrypted**.
-* The WAL encryption feature is currently in beta and is not effective unless explicitly enabled. It is not yet production ready. **Do not enable this feature in production environments**.
+* The WAL encryption feature is currently in beta and is not effective unless explicitly enabled.
 * `pg_tde` RC 2 is incompatible with `pg_tde` Beta2 due to significant changes in code. There is no direct upgrade flow from one version to another. You must [uninstall](../how-to/uninstall.md) `pg_tde` Beta2 first and then [install](../install.md) and configure the new Release Candidate version.
 
-!!! important
-    This is the {{release}} version of the extension and **it is not meant for production use yet**. We encourage you to use it in testing environments and [provide your feedback](https://forums.percona.com/c/postgresql/pg-tde-transparent-data-encryption-tde/82).
-
 [Versions and Supported PostgreSQL Deployments](supported-versions.md){.md-button}
@@ -7,7 +7,7 @@
 !!! important
 
     This version of Percona Transparent Data Encryption extension **is 
-    not recommended for production environments yet**. We encourage you to test it and [give your feedback](https://forums.percona.com/c/postgresql/pg-tde-transparent-data-encryption-tde/82).
+    not recommended for production environments yet**. We encourage you to test it and [give your feedback :octicons-link-external-16:](https://forums.percona.com/c/postgresql/pg-tde-transparent-data-encryption-tde/82).
 
     This will help us improve the product and make it production-ready faster.
 

@@ -59,4 +59,4 @@ ALTER TABLE table_name SET ACCESS METHOD tde_heap;
 
 ## Next steps
 
-[Configure WAL Encryption (tech preview) :material-arrow-right:](wal-encryption.md){.md-button}
+[Configure WAL Encryption :material-arrow-right:](wal-encryption.md){.md-button}
@@ -19,9 +19,6 @@ This variable only controls new writes to the WAL, it doesn't affect existing WA
 
 Enabling WAL encryption requires a configured global principal key. Refer to the [WAL encryption configuration](wal-encryption.md) topic for more information.
 
-!!! warning
-    The WAL encryption feature is currently in beta and is not effective unless explicitly enabled. It is not yet production ready. **Do not enable this feature in production environments**.
-
 ## pg_tde.enforce_encryption
 
 **Type** - boolean <br>

@@ -1,7 +1,4 @@
-# Configure WAL Encryption (tech preview)
-
-!!! warning
-    The WAL encryption feature is currently in beta and is not effective unless explicitly enabled. It is not yet production ready. **Do not enable this feature in production environments**.
+# Configure WAL Encryption
 
 Before enabling WAL encryption, follow the steps below to create a principal key and configure it for WAL:
 
@@ -15,7 +12,7 @@ Before enabling WAL encryption, follow the steps below to create a principal key
 
     === "With KMIP server"
 
-        Make sure you have obtained the root certificate for the KMIP server and the keypair for the client. The client key needs permissions to create / read keys on the server. Find the [configuration guidelines for the HashiCorp Vault Enterprise KMIP Secrets Engine](https://developer.hashicorp.com/vault/tutorials/enterprise/kmip-engine).
+        Make sure you have obtained the root certificate for the KMIP server and the keypair for the client. The client key needs permissions to create / read keys on the server. Find the [configuration guidelines for the HashiCorp Vault Enterprise KMIP Secrets Engine :octicons-link-external-16:](https://developer.hashicorp.com/vault/tutorials/enterprise/kmip-engine).
 
         For testing purposes, you can use the PyKMIP server which enables you to set up required certificates. To use a real KMIP server, make sure to obtain the valid certificates issued by the key management appliance.
 
@@ -118,3 +115,5 @@ Now WAL files start to be encrypted for both encrypted and unencrypted tables.
 
 For more technical references related to architecture, variables or functions, see:
 [Technical Reference](advanced-topics/index.md){.md-button}
+
+💬 Need help customizing this for your infrastructure? [Contact Percona support :octicons-link-external-16:](get-help.md)
@@ -185,7 +185,7 @@ nav:
       - "Keyring File Configuration": global-key-provider-configuration/keyring.md
     - "2.2 Global Principal Key Configuration": global-key-provider-configuration/set-principal-key.md
     - "3. Validate Encryption with pg_tde": test.md
-    - "4. Configure WAL Encryption (tech preview)": wal-encryption.md
+    - "4. Configure WAL Encryption": wal-encryption.md
   - "Technical Reference":
     - "Overview": advanced-topics/index.md
     - "Architecture": architecture/index.md
-Original file line number
+Diff line change
@@ Expand Up / @@ -280,8 +280,6 @@ SELECT pg_tde_set_server_key_using_global_key_provider( @@
     );
     ```
-    !!! warning
-        The WAL encryption feature is currently in beta and is not effective unless explicitly enabled. It is not yet production ready. **Do not enable this feature in production environments**.
     =======
     The `ensure_new_key` parameter instructs the function how to handle a principal key during key rotation:
@@ Expand Down @@
Original file line number	Diff line number	Diff line change
Expand Up		@@ -59,4 +59,4 @@ ALTER TABLE table_name SET ACCESS METHOD tde_heap;

		## Next steps

		[Configure WAL Encryption (tech preview) :material-arrow-right:](wal-encryption.md){.md-button}
		[Configure WAL Encryption :material-arrow-right:](wal-encryption.md){.md-button}