Info
Pleasant Password Server
B. Server Configuration
4) Changing databases for Pleasant Password Server
Encrypted PostgreSQL Setup (TDE)
Encrypted PostgreSQL β€” Windows Server
Sitemap
Info  >  Pleasant Password Server  >  B. Server Configuration  >  4) Changing databases for Pleasant Password Server  >  Encrypted PostgreSQL Setup (TDE)  >  Encrypted PostgreSQL β€” Windows Server Page last modified Mar 10 2026, 16:12

🏒 Encrypted PostgreSQL β€” Windows Server

Set up an encrypted database for Pleasant Password Server on Windows Server 2019, 2022, or 2025.

Overview Windows Desktop Windows Server Linux Backups & Recovery

What You Need

  • βœ… Windows Server 2019, 2022, or 2025
  • βœ… 8 GB RAM (16 GB recommended)
  • βœ… 10 GB free disk space
  • βœ… Administrator access
  • βœ… PowerShell 5.1 or later
Note: Why does this use Docker? Percona PostgreSQL with TDE runs on Linux. On Windows Server, Docker provides a lightweight way to run this Linux database alongside your Windows applications. Your data is stored on a persistent volume that survives container restarts and updates.

Setup Steps

  1. Install Docker

    Choose how to run Docker on your server. WSL2 is recommended for most environments.

    WSL2 (Recommended)

    Part A β€” Enable WSL2

    Run these commands in PowerShell as Administrator, then restart:

    # Enable required features
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux -NoRestart
Enable-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform -NoRestart

# Restart the server
Restart-Computer

    Part B β€” Install Ubuntu and Docker

    After the server restarts, open PowerShell as Administrator:

    # Set WSL2 as default and install Ubuntu
wsl --set-default-version 2
wsl --update
wsl --install -d Ubuntu-22.04

    Follow the prompts to create a username and password for Ubuntu. Then install Docker inside Ubuntu:

    # Inside the Ubuntu shell:
sudo apt update && sudo apt upgrade -y
curl -fsSL https://get.docker.com | sudo sh
sudo usermod -aG docker $USER
exit

    Re-open the Ubuntu shell to apply group changes, then verify:

    wsl docker --version
wsl docker run --rm hello-world
    Important: For the remaining steps, add wsl before each docker command when running from PowerShell. Or run commands directly inside the Ubuntu shell.
    Hyper-V (Alternative)

    Use this if WSL2 is not available or you need strict isolation.

    # Enable Hyper-V
Install-WindowsFeature -Name Hyper-V -IncludeManagementTools -Restart

    After the server restarts:

    • Create a new VM in Hyper-V Manager (Ubuntu Server 22.04 LTS recommended)
    • Allocate at least 4 GB RAM and 20 GB disk
    • Complete the Ubuntu installation
    • Install Docker Engine inside the VM (same commands as WSL2 Part B above)
    • Note the VM's IP address β€” you will need it for the connection string
    Note: With Hyper-V, Pleasant Password Server connects to the database using the VM's IP address instead of 127.0.0.1. Make sure the VM's firewall allows port 5432.

  2. Start the Encrypted Database

    Replace YourSecurePassword2025! with your own strong password. Save it β€” you will need it later.

    WSL2

    Run in the Ubuntu shell (bash):

    docker pull percona/percona-distribution-postgresql:17.9
docker volume create pleasant-pgdata

docker run --name pleasant-postgres \
  -e POSTGRES_PASSWORD=YourSecurePassword2025! \
  -e POSTGRES_DB=PleasantPasswordServer \
  -e ENABLE_PG_TDE=1 \
  -p 127.0.0.1:5432:5432 \
  -v pleasant-pgdata:/var/lib/postgresql/data \
  --restart=unless-stopped \
  -d percona/percona-distribution-postgresql:17.9

    Or run from PowerShell (with wsl prefix):

    wsl docker pull percona/percona-distribution-postgresql:17.9
wsl docker volume create pleasant-pgdata

wsl docker run --name pleasant-postgres `
  -e POSTGRES_PASSWORD=YourSecurePassword2025! `
  -e POSTGRES_DB=PleasantPasswordServer `
  -e ENABLE_PG_TDE=1 `
  -p 127.0.0.1:5432:5432 `
  -v pleasant-pgdata:/var/lib/postgresql/data `
  --restart=unless-stopped `
  -d percona/percona-distribution-postgresql:17.9
    Hyper-V

    Run inside the Linux VM via SSH (bash):

    docker pull percona/percona-distribution-postgresql:17.9
docker volume create pleasant-pgdata

docker run --name pleasant-postgres \
  -e POSTGRES_PASSWORD=YourSecurePassword2025! \
  -e POSTGRES_DB=PleasantPasswordServer \
  -e ENABLE_PG_TDE=1 \
  -p 5432:5432 \
  -v pleasant-pgdata:/var/lib/postgresql/data \
  --restart=unless-stopped \
  -d percona/percona-distribution-postgresql:17.9

    Wait about 30 seconds, then confirm it is running:

    docker ps

  3. Turn On Encryption

    Connect to the database:

    docker exec -it pleasant-postgres psql -U postgres -d PleasantPasswordServer

    Run these commands inside the database prompt:

    CREATE EXTENSION pg_tde;

SELECT pg_tde_add_global_key_provider_file(
    'pleasant-keyring',
    '/var/lib/postgresql/data/keyring.dat'
);

SELECT pg_tde_set_principal_key(
    'pleasant-master-key',
    'pleasant-keyring'
);

-- Enable encryption for all new tables
ALTER DATABASE PleasantPasswordServer SET default_table_access_method = 'tde_heap';

-- Confirm encryption is active
SELECT * FROM pg_tde_principal_key_info();

\q
    Success: You should see a row with pleasant-master-key. Encryption is active.

  4. Save Your Encryption Key

    Important: Without this key file, encrypted data cannot be recovered. Save it now.
    WSL2

    From PowerShell:

    New-Item -ItemType Directory -Path "C:\PleasantBackups" -Force
wsl docker cp pleasant-postgres:/var/lib/postgresql/data/keyring.dat /mnt/c/PleasantBackups/keyring-backup.dat
    Hyper-V

    Copy the key from the VM to your Windows host using SCP or a shared folder, then store it in C:\PleasantBackups\.

    Note: The file-based keyring stores encryption keys on the filesystem, protected by file permissions and Docker container isolation. For organizations requiring external key management, pg_tde also supports HashiCorp Vault, OpenBao, and KMIP providers.

  5. Connect Pleasant Password Server

    Connection string (replace the password and server address with yours):

    # WSL2 β€” use 127.0.0.1
Server=127.0.0.1;Port=5432;Database=PleasantPasswordServer;User ID=postgres;Password=YourSecurePassword2025!;

# Hyper-V β€” use your VM's IP address
Server=192.168.1.100;Port=5432;Database=PleasantPasswordServer;User ID=postgres;Password=YourSecurePassword2025!;
    πŸ†• New Installation
    1. Download and install Pleasant Password Server
    2. Do not start the service after installation
    3. Open Start Menu β†’ Pleasant Password Server β†’ Service Configuration Utility
    4. Click Database Configuration β†’ choose PostgreSQL
    5. Paste the connection string above
    6. Click Test Connection β†’ should show "Success"
    7. Click Save Changes
    8. Start the service from Windows Services
    9. Open http://localhost:10001 and log in with admin / admin
    10. Change the admin password when prompted
    πŸ“¦ Existing Installation (Migration)
    1. In the web interface: Settings β†’ Database Backups β†’ Backup Now
    2. Save the backup encryption key securely
    3. Stop the Pleasant Password Server service
    4. Open Service Configuration Utility β†’ Database Configuration β†’ PostgreSQL
    5. Paste connection string β†’ Test Connection β†’ Save Changes
    6. Start the service and log in
    7. Go to Settings β†’ Restore Database β†’ enter backup key β†’ Restore
    8. Restart the service

  6. Verify It Works

    docker exec -it pleasant-postgres psql -U postgres -d PleasantPasswordServer -c "SELECT * FROM pg_tde_principal_key_info();"

    Log into the web interface, create a test entry, and confirm everything works.

    Success: βœ… Done! Your encrypted database is running. Encryption is automatic and invisible to the application.

Ensure Docker Starts on Reboot

The database container will restart automatically (configured in Step 2). For WSL2, you need to ensure Docker starts when Windows boots:

# Create the startup script
Set-Content -Path "C:\Scripts\Start-DockerWSL.ps1" -Value 'wsl -d Ubuntu-22.04 -u root service docker start'

# Register it to run at startup
Register-ScheduledTask -TaskName "Start-DockerWSL" `
  -Trigger (New-ScheduledTaskTrigger -AtStartup) `
  -Action (New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-File C:\Scripts\Start-DockerWSL.ps1") `
  -User "SYSTEM" -RunLevel Highest

Next Steps

Protect your encrypted database with automated backups, key rotation, and disaster recovery planning.

Backups & Recovery β†’

For application-level backups (password data, settings), also configure automatic backups in the web interface. See the Database Backup and Restore guide for detailed options.

Troubleshooting

WSL2 installation fails

Ensure virtualization is enabled in your server's BIOS. Check that the server has a recent Windows update installed. Run wsl --status to see the current state.

Cannot connect to localhost:5432 (WSL2)

Try 127.0.0.1 instead of localhost. If that doesn't work, check that Docker is running inside WSL:

wsl -d Ubuntu-22.04 -u root service docker status

Cannot connect to VM IP (Hyper-V)

Check the VM firewall allows port 5432:

sudo ufw allow 5432/tcp

Verify the IP address hasn't changed with ip addr show.

Service won't start after configuration

Check Windows Event Viewer for errors. Verify the Docker container is running with docker ps. Test the connection again in the Service Configuration Utility.