percona · Andriciuc · Jun 19, 2025
@@ -11,7 +11,7 @@ The `pg_tde` extension requires additional shared memory. You need to configure
 
 You can configure the `shared_preload_libraries` parameter in two ways:
 
-* Add the following line to the `shared_preload_libraries` file:
+* Add the following line to the `postgresql.conf` file:
 
     ```bash
     shared_preload_libraries = 'pg_tde'
@@ -50,20 +50,18 @@ CREATE EXTENSION pg_tde;
 See [CREATE EXTENSION :octicons-link-external-16:](https://www.postgresql.org/docs/current/sql-createextension.html) for more details.
 
 !!! note
-
     The `pg_tde` extension is created only for the current database. To enable it for other databases, you must run the command in each individual database.
 
 ## 4. (Optional) Enable pg_tde by default
 
 To automatically have `pg_tde` enabled for all new databases, modify the `template1` database:
 
-```
+```sql
 psql -d template1 -c 'CREATE EXTENSION pg_tde;'
 ```
 
 !!! note
-
-    You can use external key providers to manage encryption keys. The recommended approach is to use the Key Management Store (KMS). See the next step on how to configure the KMS.
+    It’s recommended to use an external key provider (KMS) to manage encryption keys. For configuration instructions, see [Next steps](#next-steps).
 
 ## Next steps
 

@@ -29,7 +29,7 @@ After enabling the `pg_tde` extension for a database, you can begin encrypting d
     SELECT pg_tde_is_encrypted('table_name');
     ```
 
-    The function returns `t` if the table is encrypted and `f` - if not.
+    The function returns `true` or `false`. The psql client specifically renders them as `t` or `f` respectively.
 
 3. (Optional) Rotate the principal key.
 

@@ -17,7 +17,10 @@ This variable only controls new writes to the WAL, it doesn't affect existing WA
 
 `pg_tde` is always capable of reading existing encrypted WAL records, as long as the keys used for the encryption are still available.
 
-Enabling WAL encryption requires a configured global principal key. Refer to the [WAL encryption configuration](wal-encryption.md) documentation for more information.
+Enabling WAL encryption requires a configured global principal key. Refer to the [WAL encryption configuration](wal-encryption.md) topic for more information.
+
+!!! warning
+    The WAL encryption feature is currently in beta and is not effective unless explicitly enabled. It is not yet production ready. **Do not enable this feature in production environments**.
 
 ## pg_tde.enforce_encryption
 

@@ -8,10 +8,12 @@ Make sure you check the [list of supported platforms](install.md#__tabbed_1_1) b
 
 The `pg_tde` uses memory locks (mlocks) to keep internal encryption keys in RAM, both for WAL and for user data.  
 
-A memory lock (`mlock`) is a system call to lock a specified memory range in RAM for a process. The maximum amount of memory that can be locked differs between systems. You can check the current setting with this command:
+A memory lock (`mlock`) is a system call that prevents specified memory ranges from being swapped to disk. Some libraries, such as OpenSSL, may use `mlock` internally to protect sensitive data like encryption keys. However, `pg_tde` does not directly invoke `mlock` in its own code.
+
+You can check the current system limits for locked memory using:
 
 ```bash
-    ulimit -a 
+ulimit -a
 ```
 
 Memory locking is done only in memory pages. This means that when a process uses `mlocks`, it locks the entire memory page.