How to Enable Encryption at Rest in ParadeDB

Galaxy Glossary

How do I enable encryption at rest in ParadeDB?

Encryption at rest secures ParadeDB’s on-disk data with transparent AES encryption, preventing unauthorized reads of database files or backups.

Sign up for the latest in SQL knowledge from the Galaxy Team!
Welcome to the Galaxy, Guardian!
You'll be receiving a confirmation email

Follow us on twitter :)
Oops! Something went wrong while submitting the form.

Description

Table of Contents

h2
Example H2
h3
Example H3

What does “encryption at rest” mean in ParadeDB?

Encryption at rest automatically encrypts every database page written to disk, WAL segment, and base backup. ParadeDB handles the cryptography, so client applications continue to run unchanged.

When should I encrypt ParadeDB data files?

Enable encryption when your Orders, Customers, and Products tables hold sensitive PII, payment info, or business secrets. Compliance frameworks (PCI-DSS, SOC-2, HIPAA) often require it.

How do I turn on encryption at rest?

Provision ParadeDB with the ENV variable PARADED_ENCRYPTION_KEY or set --encryption-key in paradedb start. ParadeDB rewrites existing files into an encrypted tablespace in place.

Step-by-step

1. Generate a 256-bit key: openssl rand -base64 32 > /secure/keyfile.
2. Export it: export PARADEDB_ENCRYPTION_KEY=$(cat /secure/keyfile).
3. Start ParadeDB: paradedb start --data-dir=/var/lib/paradedb.

How do I verify encryption is active?

Run SHOW parade_encryption;. A value of on confirms every page is encrypted. Reading any base/ file with hexdump should show random bytes, not plain text.

Can I create additional encrypted tablespaces?

Yes. Use SELECT parade_create_tablespace('secure_ts','/mnt/secure','aes256'); then ALTER TABLE Orders SET TABLESPACE secure_ts;. ParadeDB re-writes each moved relation encrypted.

What about column-level encryption?

Combine at-rest encryption with pgcrypto or pgsodium for field-level security: UPDATE Customers SET email = crypto_aead_encrypt(email,'','','nonce') WHERE id = 1;.

Does encryption hurt performance?

AES-NI hardware acceleration keeps overhead <5 %. Benchmark your workload; ParadeDB’s buffer cache and parallelism often mask latency.

How do I rotate the key safely?

1. Export new key to PARADED_ENCRYPTION_KEY_NEW.
2. Run SELECT parade_rotate_key();. ParadeDB background-rewrites every file while staying online. Monitor progress via pg_stat_progress_rewrite.

Best practices

• Store keys in an HSM or KMS.
• Automate key rotation every 90 days.
• Encrypt logical backups with gpg even though base backups are already encrypted.

Why How to Enable Encryption at Rest in ParadeDB is important

How to Enable Encryption at Rest in ParadeDB Example Usage


-- Check total revenue while cluster is encrypted
SELECT c.name,
       SUM(oi.quantity * p.price) AS customer_spend
FROM   Orders o
JOIN   Customers c ON c.id = o.customer_id
JOIN   OrderItems oi ON oi.order_id = o.id
JOIN   Products p   ON p.id = oi.product_id
GROUP  BY c.name
ORDER  BY customer_spend DESC;

How to Enable Encryption at Rest in ParadeDB Syntax


-- Enable cluster-wide encryption at startup
PARADEDB_ENCRYPTION_KEY=base64:K7yPD9v/LSyC0G0RXzAnK2T9oE1gMAET5LiYfpQkYXI=
paradedb start --data-dir=/var/lib/paradedb

-- Create an encrypted tablespace
SELECT parade_create_tablespace(
    'secure_ts',                        -- tablespace name
    '/mnt/secure',                      -- encrypted mount point
    'aes256'                            -- algorithm
);

-- Move ecommerce data
ALTER TABLE Orders     SET TABLESPACE secure_ts;
ALTER TABLE OrderItems SET TABLESPACE secure_ts;

-- Verify encryption flag
SHOW parade_encryption;

Common Mistakes

Frequently Asked Questions (FAQs)

Can I enable encryption on an existing ParadeDB cluster?

Yes. Export PARADEDB_ENCRYPTION_KEY then run SELECT parade_encrypt_cluster();. The function rewrites data in place while the database remains online.

Is key rotation online?

ParadeDB supports hot rotation with parade_rotate_key(). Users see no downtime but expect extra I/O during the rewrite.

Does replication remain encrypted?

Physical replicas stream already-encrypted WAL records, so standby files are protected as well.

Want to learn about other SQL terms?

dbt tests

dbt tests are declarative assertions in dbt that automatically validate data quality during model builds.

dbt utils

dbt utils is a community-maintained dbt package that adds time-saving utility macros for analytics engineers, such as generating surrogate keys, safely unioning models, and automating date spines.

dbt Tutorial Glossary: Build, Test & Deploy SQL Models

dbt is an open-source framework that lets data teams transform raw warehouse tables into tested, documented, production-ready datasets using version-controlled SQL.

Trusted by top engineers on high-velocity teams
Aryeo Logo
Assort Health
Curri
Rubie Logo
Bauhealth Logo
Truvideo Logo
Welcome to the Galaxy, Guardian!
You'll be receiving a confirmation email

Follow us on twitter :)
Oops! Something went wrong while submitting the form.
Company
BlogFeaturesPricingAboutCareersFeature Requests
Resources
Resource LibraryDocsSupportBrand Kit
FeaturesAI CopilotSQL EditorCollaborationIntegrations
Use CasesSoftware DevelopersData EngineersAnalytics EngineersData ScientistsData AnalystsProduct Managers
Explore
Product TourFounder Jam!Data Job BoardRecruitersConsultantsStartup ToolsMemesSQL FormatterQuestions
Learn
Learn SQLBeginner ResourcesData ToolsSQL Interview PrepCommon ErrorsSQL OptimizationSQL In Other LanguagesKeywordsGlossary
Comparisons
DatagripTablePlusDBeaverBeekeeper StudiopgAdminPosticoNao LabsCursorMCP
HexPopSQLSherloq
© 2025 Intergalactic Data Labs, Inc.
hello@getgalaxy.io
Terms of ServicePrivacy PolicySecurity
Product Hunt IconTwitter / X IconLinkedIn Icon