25+ Security & Audit Extensions for PostgreSQL

Name: 25+ Security & Audit Extensions for PostgreSQL
Creator: 1bench
License: https://creativecommons.org/licenses/by/4.0/

pgaudit, anon, pgcrypto, pgsodium, and other Postgres extensions for audit logging, encryption, and data anonymization. Ranked by GitHub stars.

Last reviewed: May 15, 2026

25 extensions

All Vector & AI Full-text Search Geospatial Time-series & Temporal Analytics & Columnar Foreign Data Wrappers Monitoring & Stats Security & Audit

Install

pgaudit Restart

provides auditing functionality

Security & Audit·PostgreSQL·C·pgaudit·PG 17, 16, 15, 14, 13

1.6k

+17

pgaudit

1.6k+17 30d

provides auditing functionality

Security & Audit·PostgreSQL·C

pgsodium Restart

Postgres extension for libsodium functions

Security & Audit·BSD-3-Clause·C·michelp·PG 17, 16, 15, 14, 13

602

7mo

pgsodium

602+1 30d

Postgres extension for libsodium functions

Security & Audit·BSD-3-Clause·C

supabase_vault

Supabase Vault Extension

Security & Audit·Apache-2.0·C·supabase·PG 17, 16, 15, 14, 13

227

12d

supabase_vault

227+3 30d

Supabase Vault Extension

Security & Audit·Apache-2.0·C

pg_jobmon

Extension for logging and monitoring functions in PostgreSQL

Security & Audit·PostgreSQL·SQL·omniti-labs·PG 17, 16, 15, 14, 13

200

pg_jobmon

2000 30d

Extension for logging and monitoring functions in PostgreSQL

Security & Audit·PostgreSQL·SQL

pgextwlist Restart

PostgreSQL Extension Whitelisting

Security & Audit·PostgreSQL·C·dimitri·PG 17, 16, 15, 14, 13

101

7mo

pgextwlist

1010 30d

PostgreSQL Extension Whitelisting

Security & Audit·PostgreSQL·C

supautils Restart

Extension that secures a cluster on a cloud environment

Security & Audit·Apache-2.0·C·supabase·PG 17, 16, 15, 14, 13

11d

supautils

83+1 30d

Extension that secures a cluster on a cloud environment

Security & Audit·Apache-2.0·C

set_user

similar to SET ROLE but with added logging

Security & Audit·PostgreSQL·C·pgaudit·PG 17, 16, 15, 14, 13

8mo

set_user

770 30d

similar to SET ROLE but with added logging

Security & Audit·PostgreSQL·C

pg_session_jwt Trusted

Manage authentication sessions using JWTs

Security & Audit·Apache-2.0·Rust·neondatabase·PG 17, 16, 15, 14

pg_session_jwt

66+1 30d

Manage authentication sessions using JWTs

Security & Audit·Apache-2.0·Rust

logerrors

Function for collecting statistics about messages in logfile

Security & Audit·BSD-3-Clause·C·munakoiso·PG 17, 16, 15, 14, 13

8mo

logerrors

370 30d

Function for collecting statistics about messages in logfile

Security & Audit·BSD-3-Clause·C

login_hook

login_hook - hook to execute login_hook.login() at login time

Security & Audit·GPL-3.0·C·splendiddata·PG 17, 16, 15, 14, 13

login_hook

330 30d

login_hook - hook to execute login_hook.login() at login time

Security & Audit·GPL-3.0·C

pg_auth_mon

monitor connection attempts per user

Security & Audit·MIT·C·RafiaSabih·PG 17, 16, 15, 14, 13

pg_auth_mon

280 30d

monitor connection attempts per user

Security & Audit·MIT·C

pg_snakeoil Restart

The PostgreSQL Antivirus

Security & Audit·PostgreSQL·C·credativ·PG 17, 16, 15, 14, 13

pg_snakeoil

250 30d

The PostgreSQL Antivirus

Security & Audit·PostgreSQL·C

pgauditlogtofile

pgAudit addon to redirect audit log to an independent file

Security & Audit·PostgreSQL·C·fmbiete·PG 17, 16, 15, 14, 13

1mo

pgauditlogtofile

230 30d

pgAudit addon to redirect audit log to an independent file

Security & Audit·PostgreSQL·C

pgsmcrypto

PostgreSQL SM Algorithm Extension

Security & Audit·MIT·Rust·zhuobie·PG 17, 16, 15, 14, 13

6mo

pgsmcrypto

150 30d

PostgreSQL SM Algorithm Extension

Security & Audit·MIT·Rust

sslutils

A Postgres extension for managing SSL certificates through SQL

Security & Audit·PostgreSQL·C·EnterpriseDB·PG 17, 16, 15, 14, 13

today

sslutils

120 30d

A Postgres extension for managing SSL certificates through SQL

Security & Audit·PostgreSQL·C

pg_auditor

Audit data changes and provide flashback ability

Security & Audit·BSD-3-Clause·SQL·kouber·PG 17, 16, 15, 14, 13

pg_auditor

90 30d

Audit data changes and provide flashback ability

Security & Audit·BSD-3-Clause·SQL

passwordcheck_cracklib Restart

Strengthen PostgreSQL user password checks with cracklib

Security & Audit·LGPL-2.1·C·devrimgunduz·PG 17, 16, 15, 14, 13

passwordcheck_cracklib

40 30d

Strengthen PostgreSQL user password checks with cracklib

Security & Audit·LGPL-2.1·C

anon Restart

PostgreSQL Anonymizer (anon) extension

Security & Audit·PostgreSQL·Rust·PG 17, 16, 15, 14, 13

—

anon

PostgreSQL Anonymizer (anon) extension

Security & Audit·PostgreSQL·Rust

auth_delay Restart

pause briefly before reporting authentication failure

Security & Audit·PostgreSQL·C·PG 17, 16, 15, 14, 13

—

auth_delay

pause briefly before reporting authentication failure

Security & Audit·PostgreSQL·C

credcheck

credcheck - postgresql plain text credential checker

Security & Audit·MIT·C·MigOpsRepos·PG 17, 16, 15, 14, 13

—

credcheck

credcheck - postgresql plain text credential checker

Security & Audit·MIT·C

noset Restart

Module for blocking SET variables for non-super users.

Security & Audit·AGPL-3.0·C·PG 17, 16, 15, 14, 13

—

noset

Module for blocking SET variables for non-super users.

Security & Audit·AGPL-3.0·C

pg_tde Restart

pg_tde access method

Security & Audit·MIT·C·Percona-Lab·PG 16

—

pg_tde

pg_tde access method

Security & Audit·MIT·C

pgcrypto Trusted

cryptographic functions

Security & Audit·PostgreSQL·C·PG 17, 16, 15, 14, 13

—

pgcrypto

cryptographic functions

Security & Audit·PostgreSQL·C

pgcryptokey

cryptographic key management

Security & Audit·PostgreSQL·C·PG 17, 16, 15, 14, 13

—

pgcryptokey

cryptographic key management

Security & Audit·PostgreSQL·C

sepgsql Restart

label-based mandatory access control (MAC) based on SELinux security policy.

Security & Audit·PostgreSQL·C·PG 17, 16, 15, 14, 13

—

sepgsql

label-based mandatory access control (MAC) based on SELinux security policy.

Security & Audit·PostgreSQL·C

What is a PostgreSQL Security Extension?

Security extensions add capabilities Postgres core deliberately leaves out — session and statement-level audit logging (pgaudit), data anonymization for development environments (anon), modern encryption primitives (pgsodium goes beyond pgcrypto with libsodium), trusted language extensions for safer multi-tenant deployments (pg_tle), row-level password policies (passwordcheck), and privilege escalation primitives (set_user). They're typically required for compliance frameworks like PCI-DSS, HIPAA, SOC 2, and GDPR — and increasingly expected by enterprise procurement and security review processes.

When to Add a Security Extension

Enable pgaudit when you need to log every DDL or DML operation for compliance — most managed Postgres providers support it out of the box. Use anon when developers need realistic test data without exposing PII to staging environments. Use pgsodium for application-layer encryption at the column level (data-at-rest column-encryption with key management). pgcrypto remains the standard for password hashing and basic crypto operations. Don't pile these on speculatively — each adds latency, audit-log volume, and operational complexity; enable per actual compliance or security requirement.

Frequently Asked Questions

What is pgaudit?

pgaudit is the standard PostgreSQL audit logging extension — it logs every SQL statement (or a configurable subset) to the Postgres log with detailed metadata: user, database, command tag, object name, statement text. Used to satisfy compliance requirements like PCI-DSS, HIPAA, SOX, and GDPR that mandate audit trails of data access. PostgreSQL-licensed, maintained by Crunchy Data, and supported on AWS RDS, Aurora, Supabase, Neon, and Azure — typically configured per-database or per-role to limit log volume.

What's the difference between pgcrypto and pgsodium?

pgcrypto ships with Postgres core (in contrib) and provides classic cryptographic functions — bcrypt/scrypt password hashing, AES symmetric encryption, RSA, SHA hashes. pgsodium is newer and wraps libsodium, giving you modern primitives — XChaCha20-Poly1305 authenticated encryption, X25519 ECDH, Ed25519 signing — and adds Postgres-specific patterns like column-level encryption with a server-managed key. For password hashing, pgcrypto's crypt() with blf is still fine. For new encryption work, pgsodium is the better starting point.

How do I anonymize Postgres data for development?

Use the anon extension by CYBERTEC — declare masking rules per column (e.g. anonymize emails as random domains, replace names with faker.fr_FR data, redact phone numbers), then run SELECT anon.anonymize_database(); to apply the masks to a copy of production. The result is a sanitized snapshot safe for developer laptops, staging, and AI/ML training. anon supports static masking (in-place), dynamic masking (per-role views), and masked dumps via pg_dump_anon.

Does pgaudit work on AWS RDS Postgres?

Yes — pgaudit is supported on AWS RDS for PostgreSQL and Aurora. Enable it by adding pgaudit to shared_preload_libraries via the parameter group and setting pgaudit.log_catalog and pgaudit.log = 'ddl, write' (or your chosen scope). RDS forwards pgaudit output to CloudWatch Logs. Supabase, Neon, and Azure all support pgaudit similarly. Note: audit-log volume can be significant — start narrow (DDL only) and expand based on compliance needs.

How do I encrypt sensitive columns in Postgres?

Three approaches. (1) Application-side encryption: encrypt before INSERT, decrypt after SELECT — most flexible, you own the keys but lose server-side query capabilities. (2) pgcrypto: use PGP_SYM_ENCRYPT for column-level encryption — works but keys live in the database. (3) pgsodium: column encryption with a server-managed key in the keyring — supports SECURITY LABEL ENCRYPTED to mark columns for transparent encryption. For most teams, application-side encryption with KMS-managed keys gives the best balance of security and operational simplicity.

Manage PostgreSQL Visually

1bench is a modern GUI client for PostgreSQL — install extensions, write queries, and inspect schemas without leaving the IDE.

Try 1bench for PostgreSQL