How to properly upgrade pg_tde from 2.1.1 to 2.1.2 on Patroni cluster with pgbackrest and WAL encryption?

PostgreSQL PG_TDE – Transparent Data Encryption (TDE)
1

Environment:

- PostgreSQL 18

- pg_tde 2.1.1

- Patroni HA cluster (2 nodes)

- pgbackrest for backups (repository on nodeA, backups from leader)

- WAL encryption enabled (pg_tde.wal_encrypt = on)

- File-based key provider

- archive_command uses pg_tde_archive_decrypt wrapper

- restore_command uses pg_tde_restore_encrypt wrapper

Current extension state:

\dx

Name | Version | Default version | Description

pg_tde | 2.1 | 2.1 | pg_tde access method

SELECT pg_tde_version();

pg_tde 2.1.1

# pg_tde.control

default_version = ‘2.1’

Observation:

Percona uses 2.1 as the extension catalog version for the entire 2.1.x line. This means the deb package version (2.1.1) differs from the PostgreSQL catalog version (2.1). We are not sure whether “ALTER EXTENSION pg_tde UPDATE” would do anything after upgrading to 2.1.2 if default_version in the control file stays 2.1.

Our assumed upgrade flow:

1. Take a full pgbackrest backup before any changes:

pgbackrest --stanza=mydb123 --type=full backup

2. Install new package on both nodes:

sudo apt install percona-pg-tde18

3. Restart the cluster via patroni to load the new shared library (replica first, then leader):

patronectl -c /etc/patroni/mydb123.yml restart mydb123 nodeB

patronectl -c /etc/patroni/mydb123.yml restart mydb123 nodeA

4. Run ALTER EXTENSION in every database where pg_tde is installed (if needed):

-- postgres database (WAL keys)

ALTER EXTENSION pg_tde UPDATE;

-- application database

\c mydb123

ALTER EXTENSION pg_tde UPDATE;

5. Verify:

SELECT extname, extversion FROM pg_extension WHERE extname = ‘pg_tde’;

SELECT pg_tde_version();

SELECT pg_tde_key_info();

SELECT pg_tde_server_key_info();

Questions:

1. Is “ALTER EXTENSION pg_tde UPDATE” required for a 2.1.1 → 2.1.2 upgrade, or is a package upgrade + restart sufficient? Since default_version in the control file is 2.1 for both versions, the command may be a no-op.

2. Are there any breaking changes or catalog migrations between 2.1.1 and 2.1.2 that require additional steps?

3. Is the order of operations correct – specifically, should the package be installed on both nodes before the patroni restart, or node by node?

4. With WAL encryption enabled, are there any additional precautions needed during the upgrade (e.g. ensuring no WAL archiving failures during the restart window)?

5. Should we take a new full backup after the upgrade completes?