percona · Andriciuc · Jun 16, 2025 · Jun 16, 2025 · Jun 16, 2025 · Jun 18, 2025
@@ -3,13 +3,6 @@
 -#}
 {% extends "base.html" %}
 
-{% block announce %}
-  This is the <strong>Release Candidate 2 (RC2)</strong> of Percona Transparent Data Encryption (TDE) extension. 
-  <p><strong>It is not recommended for production environments at this stage.</strong></p> 
-  <p>We encourage you to test it and <a href= "https://forums.percona.com/c/postgresql/pg-tde-transparent-data-encryption-tde/82">give your feedback</a>.
-  This will help us improve the product and make it production-ready faster.</p>
-{% endblock %}
-
 {% block scripts %}
 <script src="https://cmp.osano.com/Azqe5vTyLOSbN3OuT/49ad85b5-0418-4794-ab81-7599dddd534c/osano.js"></script>
 {{ super() }}

@@ -3,13 +3,6 @@
 -#}
 {% extends "base.html" %}
 
-{% block announce %}
-  This is the <strong>Release Candidate 2 (RC2)</strong> of Percona Transparent Data Encryption (TDE) extension. 
-  <p><strong>It is not recommended for production environments at this stage.</strong></p> 
-  <p>We encourage you to test it and <a href= "https://forums.percona.com/c/postgresql/pg-tde-transparent-data-encryption-tde/82">give your feedback</a>.
-  This will help us improve the product and make it production-ready faster.</p>
-{% endblock %}
-
 {% block scripts %}
 <script src="https://cmp.osano.com/Azqe5vTyLOSbN3OuT/49ad85b5-0418-4794-ab81-7599dddd534c/osano.js"></script>
 {{ super() }}

@@ -239,21 +239,17 @@ This is also the reason why it requires a `dbOid` instead of a name, as it has n
 
 ### Deleting providers
 
-Providers can be deleted by using the
+Providers can be deleted by using the following functions:
 
 ```sql
 pg_tde_delete_database_key_provider(provider_name)
 pg_tde_delete_global_key_provider(provider_name)
 ```
 
-functions.
-
 For database specific providers, the function first checks if the provider is used or not, and the provider is only deleted if it's not used.
 
 For global providers, the function checks if the provider is used anywhere, WAL or any specific database, and returns an error if it is.
 
-This somewhat goes against the principle that `pg_tde` should not interact with other databases than the one the user is connected to, but on the other hand, it only does this lookup in the internal `pg_tde` metadata, not in postgres catalogs, so it is a gray zone. Making this check makes more sense than potentially making some databases inaccessible.
-
 ### Listing/querying providers
 
 `pg_tde` provides 2 functions to show providers:
@@ -263,17 +259,6 @@ This somewhat goes against the principle that `pg_tde` should not interact with
 
 These functions return a list of provider names, type and configuration.
 
-### Provider permissions
-
-`pg_tde` implements access control based on execution rights on the administration functions.
-
-For keys and providers administration, it provides two pair of functions:
-
-```sql
-pg_tde_GRANT_database_key_management_TO_role
-pg_tde_REVOKE_database_key_management_FROM_role
-```
-
 ### Creating and rotating keys
 
 Principal keys can be created or rotated using the following functions:
@@ -320,12 +305,6 @@ The `pg_tde_delete_key()` function removes the principal key for the current dat
 
 `pg_tde_verify_key()` checks that the key provider is accessible, that the current principal key can be downloaded from it, and that it is the same as the current key stored in memory - if any of these fail, it reports an appropriate error.
 
-### Key permissions
-
-Users with management permissions to a specific database `(pg_tde_(grant/revoke)_(global/databse)_key_management_(to/from)_role)` can change the keys for the database, and use the current key functions. This includes creating keys using global providers, if `pg_tde.inherit_global_providers` is enabled.
-
-Also the `pg_tde_(grant/revoke)_database_key_management_to_role` function deals with only the specific permission for the above function: it allows a user to change the key for the database, but not to modify the provider configuration.
-
 ### Creating encrypted tables
 
 To create an encrypted table or modify an existing table to be encrypted, use the following commands:

@@ -27,7 +27,7 @@ Using TDE helps you avoid the following risks:
 
 If to translate sensitive data to files stored in your database, these are user data in tables, temporary files, WAL files. TDE has you covered encrypting all these files.
 
-`pg_tde` does not encrypt system catalogs yet. This means that statistics data and database metadata are not encrypted. The encryption of system catalogs is planned for future releases.
+`pg_tde` does not encrypt system catalogs yet. This means that statistics data and database metadata are not encrypted.
 
 ## Will logical replication work with pg_tde?
 
@@ -121,7 +121,9 @@ We advise encrypting the whole database only if all your data is sensitive, like
 
 For WAL encryption, AES-CTR-128 is used.
 
-The support of other encryption mechanisms such as AES256 is planned for future releases. Reach out to us with your requirements and usage scenarios of other encryption methods are needed.
+## Is post-quantum encryption supported?
+
+No, it's not yet supported. In our implementation we reply on OpenSSL libraries that don't yet support post-quantum encryption.
 
 ## Can I encrypt an existing table?
 

@@ -2,15 +2,6 @@
 
 The `pg_tde` extension provides functions for managing different aspects of its operation:
 
-## Permission management
-
-By default, `pg_tde` is locked down. No one is allowed to do any operations until you grant them permissions. Only superusers may add or alter global key providers.
-
-However, database owners can run the “view keys” and “set principal key” functions on their own databases. You can delegate these rights to other roles with the following commands:
-
-* `GRANT EXECUTE ON FUNCTION`
-* `REVOKE EXECUTE ON FUNCTION`
-
 ## Key provider management
 
 A key provider is a system or service responsible for managing encryption keys. `pg_tde` supports the following key providers:

@@ -15,7 +15,7 @@ For testing purposes, you can use a lightweight PyKMIP server, which enables eas
 SELECT pg_tde_add_global_key_provider_kmip(
     'provider-name',
     'kmip-IP', 
-    5696,
+    `port`,
     '/path_to/server_certificate.pem', 
     '/path_to/client_cert.pem',
     '/path_to/client_key.pem'

@@ -64,13 +64,13 @@ You must do these steps for every database where you have created the extension.
 
         ```sql
         SELECT pg_tde_add_database_key_provider_kmip(
-            'provider-name',
-            'kmip-addr', 
-            5696, 
-            '/path_to/client_cert.pem', 
-            '/path_to/client_key.pem', 
-            '/path_to/server_certificate.pem'
-            );
+          'provider-name',
+          'kmip-addr', 
+          `port`, 
+          '/path_to/client_cert.pem', 
+          '/path_to/client_key.pem', 
+          '/path_to/server_certificate.pem'
+          );
         ```
 
         where:

@@ -1,9 +1,10 @@
-# pg_tde Documentation
+# Percona Transparent Data Encryption for PostgreSQL documentation
 
-`pg_tde` is the open source, community driven and futureproof PostgreSQL extension that provides Transparent Data Encryption (TDE) to protect data at rest. `pg_tde` ensures that the data stored on disk is encrypted, and that no one can read it without the proper encryption keys, even if they gain access to the physical storage media.
+Percona Transparent Data Encryption for PostgreSQL (`pg_tde`) is an open source, community driven and futureproof PostgreSQL extension that provides Transparent Data Encryption (TDE) to protect data at rest. `pg_tde` ensures that the data stored on disk is encrypted, and that no one can read it without the proper encryption keys, even if they gain access to the physical storage media.
 
-!!! important
-    This is the {{release}} version of the extension and **it is not meant for production use yet**. We encourage you to use it in testing environments and [provide your feedback](https://forums.percona.com/c/postgresql/pg-tde-transparent-data-encryption-tde/82).
+!!! warning "No upgrade path from RC to GA"
+    There is no safe upgrade path from the previous versions, such as Release Candidate 2, to the General Availability (GA) version of `pg_tde`.  
+    We recommend starting with a **clean installation** for GA deployments. Avoid using RC environments in production.
 
 [Overview](index/index.md){.md-button}
 [Get Started](install.md){.md-button}

@@ -1,8 +1,8 @@
 # Install pg_tde
 
-<!-- !!! warning "No upgrade path from RC to GA"
-    There is no safe upgrade path from the Release Candidate 2 (RC2) to the General Availability (GA) version of `pg_tde`.  
-    We recommend starting with a **clean installation** for GA deployments. Avoid using RC environments in production. -->
+!!! warning "No upgrade path from RC to GA"
+    There is no safe upgrade path from the previous versions, such as Release Candidate 2, to the General Availability (GA) version of `pg_tde`.  
+    We recommend starting with a **clean installation** for GA deployments. Avoid using RC environments in production.
 
 To install `pg_tde`, use one of the following methods:
 

@@ -7,5 +7,5 @@
 {% if config.site_description %}
 <h1>{{ config.site_description }}</h1>
 {% endif %} 
-<h2>Release Candidate (2025-03-27)</h2>
+<h2> 1.0 (2025-06-30)</h2>
 <!--<h3>Percona Technical Documentation Team</h3>-->
@@ -1,6 +1,6 @@
 # MkDocs general configuration
 
-site_name: pg_tde documentation
+site_name: Percona Transparent Data Encryption for PostgreSQL
 site_description: Documentation
 site_author: Percona LLC
 copyright: >