75+ Security & Audit Extensions for PostgreSQL

pgaudit, anon, pgcrypto, pgsodium, and other Postgres extensions for audit logging, encryption, and data anonymization. Ranked by GitHub stars.

Last reviewed: June 5, 2026
22 extensions
AllVector & AIFull-text SearchGeospatialTime-series & TemporalAnalytics & ColumnarForeign Data WrappersMonitoring & StatsSecurity & Audit
Platform
Self-HostedSupabaseAWS RDSNeonAzureAuroraCloud SQLAlloyDBDigitalOceanCrunchy BridgeAivenHeroku
1
pgaudit
1.6k+18 30d

provides auditing functionality

Security & Audit·PostgreSQL·C
2
audit-trigger
672+1 30d

Provides a trigger-based row-level audit log of table changes; intended as a demo and reference rather than production.

Security & Audit·PLpgSQL
3
pgsodium
604+2 30d

Postgres extension for libsodium functions

Security & Audit·BSD-3-Clause·C
4
pgMemento
409+3 30d

Provides an audit trail with schema versioning using triggers, PL/pgSQL functions, and JSONB delta logging.

Security & Audit·LGPL-3.0·PLpgSQL
5
vault
228+3 30d

Supabase Vault Extension

Security & Audit·Apache-2.0·C
6
pg_jobmon
2000 30d

Extension for logging and monitoring functions in PostgreSQL

Security & Audit·PostgreSQL·SQL
7
sql_firewall
1760 30d

Learns a whitelist of allowed queries by userid and blocks or warns on unrecognized statements to protect against SQL injection.

Security & Audit·C
8
pgextwlist
1010 30d

PostgreSQL Extension Whitelisting

Security & Audit·PostgreSQL·C
9
supautils
83+1 30d

Extension that secures a cluster on a cloud environment

Security & Audit·Apache-2.0·C
10
credcheck
81+1 30d

credcheck - postgresql plain text credential checker

Security & Audit·PostgreSQL·C
11
set_user
770 30d

similar to SET ROLE but with added logging

Security & Audit·PostgreSQL·C
12
pg_session_jwt
66+1 30d

Manage authentication sessions using JWTs

Security & Audit·Apache-2.0·Rust
13
pg_credereum
620 30d

Provides a cryptographically verifiable audit trail by applying blockchain-style Merkle proofs to relational data.

Security & Audit·GPL-3.0·C
14
pg_recall
550 30d

Tracks changes to selected tables in separate _log tables so rows can be queried as they existed at any past timestamp.

Security & Audit·PLpgSQL
15
libx509pq
500 30d

Exposes OpenSSL's X.509 certificate parser as SQL functions, powering crt.sh-style certificate transparency search.

Security & Audit·GPL-3.0·C
16
pg-audit-json
470 30d

Provides trigger-based table auditing that stores row diffs as JSONB for easy querying.

Security & Audit·PLpgSQL
17
logerrors
370 30d

Function for collecting statistics about messages in logfile

Security & Audit·BSD-3-Clause·C
18
login_hook
330 30d

login_hook - hook to execute login_hook.login() at login time

Security & Audit·GPL-3.0·C
19
pg_themis
330 30d

Exposes the Themis cryptographic library to Postgres for encrypting and decrypting data via Secure Cell and Secure Message primitives.

Security & Audit·Apache-2.0·C
20
crunchy_check_access
280 30d

Provides functions and views to inspect PostgreSQL object access privileges across roles.

Security & Audit·PL/pgSQL
21
pg_auth_mon
280 30d

monitor connection attempts per user

Security & Audit·MIT·C
22
pg_snakeoil
250 30d

The PostgreSQL Antivirus

Security & Audit·PostgreSQL·C

What is a PostgreSQL Security Extension?

Security extensions add capabilities Postgres core deliberately leaves out — session and statement-level audit logging (pgaudit), data anonymization for development environments (anon), modern encryption primitives (pgsodium goes beyond pgcrypto with libsodium), trusted language extensions for safer multi-tenant deployments (pg_tle), row-level password policies (passwordcheck), and privilege escalation primitives (set_user). They're typically required for compliance frameworks like PCI-DSS, HIPAA, SOC 2, and GDPR — and increasingly expected by enterprise procurement and security review processes.

When to Add a Security Extension

Enable pgaudit when you need to log every DDL or DML operation for compliance — most managed Postgres providers support it out of the box. Use anon when developers need realistic test data without exposing PII to staging environments. Use pgsodium for application-layer encryption at the column level (data-at-rest column-encryption with key management). pgcrypto remains the standard for password hashing and basic crypto operations. Don't pile these on speculatively — each adds latency, audit-log volume, and operational complexity; enable per actual compliance or security requirement.

Frequently Asked Questions

What is pgaudit?
pgaudit is the standard PostgreSQL audit logging extension — it logs every SQL statement (or a configurable subset) to the Postgres log with detailed metadata: user, database, command tag, object name, statement text. Used to satisfy compliance requirements like PCI-DSS, HIPAA, SOX, and GDPR that mandate audit trails of data access. PostgreSQL-licensed, maintained by Crunchy Data, and supported on AWS RDS, Aurora, Supabase, Neon, and Azure — typically configured per-database or per-role to limit log volume.
What's the difference between pgcrypto and pgsodium?
pgcrypto ships with Postgres core (in contrib) and provides classic cryptographic functions — bcrypt/scrypt password hashing, AES symmetric encryption, RSA, SHA hashes. pgsodium is newer and wraps libsodium, giving you modern primitives — XChaCha20-Poly1305 authenticated encryption, X25519 ECDH, Ed25519 signing — and adds Postgres-specific patterns like column-level encryption with a server-managed key. For password hashing, pgcrypto's crypt() with blf is still fine. For new encryption work, pgsodium is the better starting point.
How do I anonymize Postgres data for development?
Use the anon extension by CYBERTEC — declare masking rules per column (e.g. anonymize emails as random domains, replace names with faker.fr_FR data, redact phone numbers), then run SELECT anon.anonymize_database(); to apply the masks to a copy of production. The result is a sanitized snapshot safe for developer laptops, staging, and AI/ML training. anon supports static masking (in-place), dynamic masking (per-role views), and masked dumps via pg_dump_anon.
Does pgaudit work on AWS RDS Postgres?
Yes — pgaudit is supported on AWS RDS for PostgreSQL and Aurora. Enable it by adding pgaudit to shared_preload_libraries via the parameter group and setting pgaudit.log_catalog and pgaudit.log = 'ddl, write' (or your chosen scope). RDS forwards pgaudit output to CloudWatch Logs. Supabase, Neon, and Azure all support pgaudit similarly. Note: audit-log volume can be significant — start narrow (DDL only) and expand based on compliance needs.
How do I encrypt sensitive columns in Postgres?
Three approaches. (1) Application-side encryption: encrypt before INSERT, decrypt after SELECT — most flexible, you own the keys but lose server-side query capabilities. (2) pgcrypto: use PGP_SYM_ENCRYPT for column-level encryption — works but keys live in the database. (3) pgsodium: column encryption with a server-managed key in the keyring — supports SECURITY LABEL ENCRYPTED to mark columns for transparent encryption. For most teams, application-side encryption with KMS-managed keys gives the best balance of security and operational simplicity.

Manage PostgreSQL Visually

1bench is a modern GUI client for PostgreSQL — install extensions, write queries, and inspect schemas without leaving the IDE.

Try 1bench for PostgreSQL