Merge branch 'release-2.2.0'

Author: AndersAstrand

.github/ISSUE_TEMPLATE/bug.yml

@@ -32,7 +32,7 @@ body:
     attributes:
       label: Version
       description: What version of pg_tde and Percona Server PostgreSQL are you running?
-      placeholder: pg_tde 2.1, Percona Server for PostgreSQL 18.0
+      placeholder: pg_tde 2.2, Percona Server for PostgreSQL 18.0
     validations:
       required: true
   - type: textarea

Makefile

@@ -1,7 +1,11 @@
 PGFILEDESC = "pg_tde access method"
 MODULE_big = pg_tde
 EXTENSION = pg_tde
-DATA = pg_tde--2.0--2.1.sql pg_tde--1.0--2.0.sql pg_tde--1.0.sql
+DATA = \
+	pg_tde--1.0.sql \
+	pg_tde--1.0--2.0.sql \
+	pg_tde--2.0--2.1.sql \
+	pg_tde--2.1--2.2.sql
 
 TAP_TESTS = 1
 

documentation/_resource/overrides/main.html

@@ -3,6 +3,32 @@
 -#}
 {% extends "base.html" %}
 
+{% block announce %}
+  <div class="md-banner" style="text-align: center;">
+    Where the open source database community meets:
+    Use code <strong>PERCONA75</strong> and secure your spot for Percona Live.
+
+    <a
+      class="breakdance-link button-atom button-atom--primary bde-button__button"
+      href="https://perconalive.com/2026-usa/"
+      target="_blank"
+      data-type="url"
+      style="
+        padding: 5px 20px;
+        display: inline-block;
+        margin-left: 10px;
+        background-color: #005ed6;
+        border-radius: 999px;
+        text-decoration: none;
+      "
+    >
+      <span class="button-atom__text" style="font-size: 16px; color: #ffffff;">
+        Register
+      </span>
+    </a>
+  </div>
+{% endblock %}
+
 {% block scripts %}
 <script src="https://cmp.osano.com/Azqe5vTyLOSbN3OuT/49ad85b5-0418-4794-ab81-7599dddd534c/osano.js"></script>
 {{ super() }}

documentation/docs/css/extra.css

@@ -60,3 +60,14 @@
   font-size: 0.6rem !important;         /* smaller font */
   color: var(--md-typeset-a-color);
 }
+
+/* Percona live announcement banner */
+
+.md-banner {
+  text-align: center;
+}
+
+.md-banner,
+.md-banner * {
+  font-family: "Poppins", sans-serif !important;
+}

documentation/docs/index/tde-limitations.md

@@ -42,13 +42,6 @@ Limitations of `pg_tde` {{release}}:
     ERROR: 16 invalid pages among blocks 15..30 of relation "base/16384/16438"
     ```
 
-## `pg_upgrade` and encrypted relations
-
-!!! danger "`pg_upgrade` is not supported with `pg_tde`"
-    PostgreSQL clusters that use `pg_tde` cannot currently be upgraded using `pg_upgrade`.
-
-    The `pg_upgrade` tool does not properly handle the internal encryption keys used by `pg_tde`, which prevents the upgraded cluster from decrypting encrypted relations.
-
 ## `ALTER DATABASE ... SET TABLESPACE`
 
 !!! warning "Changing a database tablespace has limited support with `pg_tde`"

documentation/docs/release-notes/release-notes-v2.2.0.md

@@ -0,0 +1,63 @@
+# pg_tde 2.2.0 ({{date.2_2_0}})
+
+The `pg_tde` extension, provided by Percona, adds [Transparent Data Encryption (TDE)](../index/about-tde.md) to PostgreSQL and helps protect sensitive data at rest.
+
+[Get Started](../install.md){.md-button}
+
+## Release Highlights
+
+`pg_tde` now supports 256-bit AES encryption and introduces [`pg_tde_upgrade`](../command-line-tools/pg-tde-upgrade.md), a utility that simplifies the upgrades of encrypted clusters. For more details, see the [Changelog](#changelog).
+
+!!! warning
+    `pg_tde` 2.2.0 is not compatible with Percona Distribution for PostgreSQL older than 17.10 or 18.4.
+
+### Documentation updates
+
+* The [Limitations of pg_tde](../index/tde-limitations.md) topic is updated to include a new section on known incompatibilities with Citus and TimescaleDB, and a clarification of the `ALTER DATABASE ... SET TABLESPACE` behavior, the command can be used but with restrictions when `pg_tde` is active.
+* The [Backup with WAL encryption enabled](../how-to/backup-wal-enabled.md) topic is updated with a clearer description of the key rotation limitation during backups.
+
+## Known issues
+
+* `pg_rewind` and `pg_tde_rewind`
+
+    Using `pg_rewind` or `pg_tde_rewind` between diverged nodes in clusters that use `pg_tde` may lead to corrupted tables or indexes due to internal encryption key differences between clusters.
+
+    Queries may fail with:
+
+    ```bash
+    ERROR: invalid page in block 0 of relation "base/..."
+    ```
+
+    This behavior is a known issue.
+
+    For more information, see [pg_tde limitations](../index/tde-limitations.md).
+
+* The default `mlock` limit on Rocky Linux 8 for ARM64-based architectures equals the memory page size and is 64 Kb. This results in the child process with `pg_tde` failing to allocate another memory page because the max memory limit is reached by the parent process.
+
+    To prevent this, you can change the `mlock` limit to be at least twice the memory page size:
+
+    * temporarily for the current session using the `ulimit -l <value>` command.
+    * set a new hard limit in the `/etc/security/limits.conf` file. To do so, you require the superuser privileges.
+
+    Adjust the limits with caution since it affects other processes running in your system.
+
+## Changelog
+
+Changes introduced in `pg_tde` 2.2.0:
+
+### New Features
+
+- [PG-1968](https://perconadev.atlassian.net/browse/PG-1968) - AES-256 encryption support, `pg_tde` now supports 256-bit AES encryption, providing stronger cryptographic protection for encrypted tablespaces.
+- [PG-2017](https://perconadev.atlassian.net/browse/PG-2017) - AES-256 compatibility for `pg_tde_resetwal`, the `pg_tde_resetwal` utility has been updated to work correctly with AES-256 encrypted data.
+- [PG-2018](https://perconadev.atlassian.net/browse/PG-2018) - AES-256 compatibility for `pg_tde_basebackup`, the `pg_tde_basebackup` utility now fully supports AES-256 encryption, ensuring consistent backup and restore behavior for databases using the new cipher.
+- [PG-2240](https://perconadev.atlassian.net/browse/PG-2240) - Introducing `pg_tde_upgrade`, a utility that automates the steps required to upgrade a `pg_tde`-enabled cluster, making the upgrade process more convenient.
+
+### Improvements
+
+- [PG-2278](https://perconadev.atlassian.net/browse/PG-2278) - Storage manager (SMGR) encryption has been optimized to reuse OpenSSL cipher contexts, reducing overhead and improving throughput for encrypted I/O operations.
+
+### Bug Fixes
+
+- [PG-2240](https://perconadev.atlassian.net/browse/PG-2240) - Fixed an issue where `pg_upgrade` would fail when run against databases containing encrypted data.
+- [PG-1895](https://perconadev.atlassian.net/browse/PG-1895) - Resolved a bug where performing WAL key rotation or SMGR key rotation during a `pg_basebackup` operation could prevent the secondary server from starting successfully.
+- [PG-2125](https://perconadev.atlassian.net/browse/PG-2125) - Fixed key creation failures that occurred when `pg_tde` was configured to use HashiCorp Vault via the KMIP protocol.

documentation/docs/release-notes/release-notes.md

@@ -4,6 +4,7 @@ This page lists all release notes for `pg_tde`, organized by year and version. U
 
 ## 2026
 
+* [2.2.0](release-notes-v2.2.0.md) ({{date.2_2_0}})
 * [2.1.2](release-notes-v2.1.2.md) ({{date.2_1_2}})
 * [2.1.1](release-notes-v2.1.1.md) ({{date.2_1_1}})
 

documentation/mkdocs.yml

@@ -201,6 +201,7 @@ nav:
   - faq.md
   - "Release notes":
     - "Release notes index": release-notes/release-notes.md
+    - "2.2.0": release-notes/release-notes-v2.2.0.md
     - "2.1.2": release-notes/release-notes-v2.1.2.md
     - "2.1.1": release-notes/release-notes-v2.1.1.md
     - "2025":

documentation/variables.yml

@@ -1,13 +1,14 @@
 #Variables used throughout the docs
 
-latestreleasenotes: 'release-notes-v2.1.2'
-tdeversion: '2.1.2'
-release: '2.1.2'
-pgversion17: '18.3'
-tdebranch: release-2.1.2
+latestreleasenotes: 'release-notes-v2.2.0'
+tdeversion: '2.2.0'
+release: '2.2.0'
+pgversion17: '18'
+tdebranch: release-2.2.0
 
 date:
 
+  2_2_0: '2026-05-18'
   2_1_2: '2026-03-02'
   2_1_1: '2026-01-22'
   2_1: '2025-11-28'

expected/version.out

@@ -1,14 +1,14 @@
 SELECT * FROM pg_get_loaded_modules() WHERE file_name IN ('pg_tde.so', 'pg_tde.dylib');
  module_name | version | file_name 
 -------------+---------+-----------
- pg_tde      | 2.1.2   | pg_tde.so
+ pg_tde      | 2.2.0   | pg_tde.so
 (1 row)
 
 CREATE EXTENSION pg_tde;
 SELECT pg_tde_version();
  pg_tde_version 
 ----------------
- pg_tde 2.1.2
+ pg_tde 2.2.0
 (1 row)
 
 DROP EXTENSION pg_tde;