percona · Andriciuc · Jun 19, 2025 · Jun 23, 2025 · Jun 25, 2025 · Jun 25, 2025
@@ -11,7 +11,7 @@ The `pg_tde` extension requires additional shared memory. You need to configure
 
 You can configure the `shared_preload_libraries` parameter in two ways:
 
-* Add the following line to the `shared_preload_libraries` file:
+* Add the following line to the `postgresql.conf` file:
 
     ```bash
     shared_preload_libraries = 'pg_tde'
@@ -50,20 +50,18 @@ CREATE EXTENSION pg_tde;
 See [CREATE EXTENSION :octicons-link-external-16:](https://www.postgresql.org/docs/current/sql-createextension.html) for more details.
 
 !!! note
-
     The `pg_tde` extension is created only for the current database. To enable it for other databases, you must run the command in each individual database.
 
 ## 4. (Optional) Enable pg_tde by default
 
 To automatically have `pg_tde` enabled for all new databases, modify the `template1` database:
 
-```
+```sql
 psql -d template1 -c 'CREATE EXTENSION pg_tde;'
 ```
 
 !!! note
-
-    You can use external key providers to manage encryption keys. The recommended approach is to use the Key Management Store (KMS). See the next step on how to configure the KMS.
+    It’s recommended to use an external key provider (KMS) to manage encryption keys. For configuration instructions, see [Next steps](#next-steps).
 
 ## Next steps
 

@@ -29,7 +29,7 @@ After enabling the `pg_tde` extension for a database, you can begin encrypting d
     SELECT pg_tde_is_encrypted('table_name');
     ```
 
-    The function returns `t` if the table is encrypted and `f` - if not.
+    The function returns `true` or `false`.
 
 3. (Optional) Rotate the principal key.
 

@@ -17,7 +17,10 @@ This variable only controls new writes to the WAL, it doesn't affect existing WA
 
 `pg_tde` is always capable of reading existing encrypted WAL records, as long as the keys used for the encryption are still available.
 
-Enabling WAL encryption requires a configured global principal key. Refer to the [WAL encryption configuration](wal-encryption.md) documentation for more information.
+Enabling WAL encryption requires a configured global principal key. Refer to the [WAL encryption configuration](wal-encryption.md) topic for more information.
+
+!!! warning
+    The WAL encryption feature is currently in beta and is not effective unless explicitly enabled. It is not yet production ready. **Do not enable this feature in production environments**.
 
 ## pg_tde.enforce_encryption
 

@@ -4,29 +4,6 @@ This tutorial shows how to install `pg_tde` with [Percona Distribution for Postg
 
 Make sure you check the [list of supported platforms](install.md#__tabbed_1_1) before continuing.
 
-## Memory limits for pg_tde keys
-
-The `pg_tde` uses memory locks (mlocks) to keep internal encryption keys in RAM, both for WAL and for user data.  
-
-A memory lock (`mlock`) is a system call to lock a specified memory range in RAM for a process. The maximum amount of memory that can be locked differs between systems. You can check the current setting with this command:
-
-```bash
-    ulimit -a 
-```
-
-Memory locking is done only in memory pages. This means that when a process uses `mlocks`, it locks the entire memory page.
-
-A process can have child processes that share the `mlock` limits of their parent. In PostgreSQL, the parent process is the one that runs the server. And its child backend processes handle client connections to the server.
-
-If the `mlock` limit is greater than the page size, a child process locks another page for its operation. However, when the `mlock` limit equals the page size, the child process cannot run because the max memory limit is already reached by the parent process that used it for reading WAL files. This results in `pg_tde` failing with the error.
-
-To prevent this, you can change the `mlock` limit to be at least twice bigger than the memory page size:
-
-* temporarily for the current session using the `ulimit -l <value>` command.
-* set a new hard limit in the `/etc/security/limits.conf` file. To do so, you require the superuser privileges.
-
-Adjust the limits with caution since it affects other processes running in your system.
-
 ## Install percona-release {.power-number}
 
 You need the `percona-release` repository management tool that enables the desired Percona repository for you.