Schedule - pgDay Paris 2026
The Cryptic Elephant: Column-Level Encryption for PostgreSQL
Date: 2026-03-26
Time: 13:30–14:15
Room: Karnak
This presentation examines transparent encryption solutions for PostgreSQL databases, particularly addressing emerging regulatory requirements from DORA and PCI DSS 4.0. While Full Disk Encryption (FDE) has traditionally provided protection against physical theft and improper disposal, new regulations mandate encryption for data at rest, in transit, and increasingly, data in use. Dalibo introduces The Cryptic Elephant, an open-source Rust-based extension offering Transparent Column Encryption (TCE) compatible with all major versions of PostgreSQL. Unlike cluster-wide encryption approaches, this solution enables selective column encryption while maintaining application transparency. The architecture employs envelope encryption using unique Data Encryption Keys (DEK) protected by external Key Encryption Keys (KEK) managed through Key Management Systems like AWS KMS. Security is enhanced through audited cryptographic libraries (RustCrypto) and data is encrypt