INSTALL

The installation process is composed of 4 basic steps:

  • Step 1: Deploy the extension into the host server
  • Step 2: Load the extension in the PostgreSQL instance
  • Step 3: Create and Initialize the extension inside the database

There are multiple ways to install the extension :

In the examples below, we load the extension (step2) using a parameter called session_preload_libraries but there are other ways to load it. See Load the extension for more details.

If you're having any problem, check the Troubleshooting section.

Choose your version : Stable or Latest ?

This extension is available in two versions :

  • stable is recommended for production
  • latest is useful if you want to test new features

Install on RedHat / Rocky Linux / Alma Linux

New RPM repository !

DO NOT use the package provided by the PGDG RPM repository. It is obsolete.

Step 0: Add the DaLibo Labs RPM repository to your system.

sudo dnf install https://yum.dalibo.org/labs/dalibo-labs-4-1.noarch.rpm

Alternatively you can download the latest version from the Gitlab Package Registry.

Step 1: Deploy

sudo yum install postgresql_anonymizer_16

(Replace 16 with the major version of your PostgreSQL instance.)

Step 2: Load the extension.

ALTER DATABASE foo SET session_preload_libraries = 'anon';

(If you're already loading extensions that way, just add anon the current list)

The setting will be applied for the next sessions, i.e. You need to reconnect to the database for the change to visible

Step 3: Close your session and open a new one. Create the extension.

CREATE EXTENSION anon;
SELECT anon.init();

All new connections to the database can now use the extension.

Install on Debian / Ubuntu

This is the recommended way to install the stable version

Step 0: Add the DaLibo Labs DEB Repo to your system.

apt install curl lsb-release
echo deb http://apt.dalibo.org/labs $(lsb_release -cs)-dalibo main > /etc/apt/sources.list.d/dalibo-labs.list
curl -fsSL -o /etc/apt/trusted.gpg.d/dalibo-labs.gpg https://apt.dalibo.org/labs/debian-dalibo.gpg
apt update

Alternatively you can download the latest version from the Gitlab Package Registry.

Step 1: Deploy

sudo apt install postgresql_anonymizer_16

(Replace 16 with the major version of your PostgreSQL instance.)

Step 2: Load the extension.

ALTER DATABASE foo SET session_preload_libraries = 'anon';

(If you're already loading extensions that way, just add anon the current list)

The setting will be applied for the next sessions, i.e. You need to reconnect to the database for the change to visible

Step 3: Close your session and open a new one. Create the extension.

CREATE EXTENSION anon;
SELECT anon.init();

All new connections to the database can now use the extension.

Install with Ansible

This method will install the stable extension

Step 1a: Install the Dalibo PostgreSQL Essential Ansible Collection

ansible-galaxy collection install dalibo.advanced

Step 1b: Write a playbook (e.g. anon.yml) to the postgresql_anonymizer role to the database servers. For instance:

---
- name: Install the PostgreSQL Anonymizer extension on all hosts of the pgsql group
  hosts: pgsql
  roles:
    - dalibo.advanced.anon

Step 1c: Launch the playbook

ansible-playbook anon.yml

Step 2: Load the extension.

ALTER DATABASE foo SET session_preload_libraries = 'anon';

(If you're already loading extensions that way, just add anon the current list)

The setting will be applied for the next sessions, i.e. You need to reconnect to the database for the change to visible

Step 3: Close your session and open a new one. Create the extension.

CREATE EXTENSION anon;
SELECT anon.init();

All new connections to the database can now use the extension.

Install With PGXN

Warning

This method is not available currently but you can use the "Install From Source" method below which is very similar.

Install From Source

This is the recommended way to install the latest extension

Important: Building the extension requires a full Rust development environment. It is not recommended to build it on a production server.

Before anything else, you need to install the PGRX System Requirements.

Step 0: Download the source from the official repository on Gitlab, either the archive of the latest release, or clone the latest branch:

git clone https://gitlab.com/dalibo/postgresql_anonymizer.git

Step 1: Build the project like any other PostgreSQL extension:

make extension
sudo make install

NOTE: If you have multiple versions of PostgreSQL on the server, you may need to specify which version is your target by defining the PG_CONFIG and PGVER env variable like this:

make extension PG_CONFIG=/usr/lib/postgresql/14/bin/pg_config PGVER="14"
sudo make install PG_CONFIG=/usr/lib/postgresql/14/bin/pg_config PGVER="14"

Step 2: Load the extension:

Please note that in order to load the extension you must connect to Postgresql with a user having superuser privileges. Also, the extension (as all Postgresql extensions) will be created only in the given database and not globally.

ALTER DATABASE foo SET session_preload_libraries = 'anon';

(If you're already loading extensions that way, just add anon the current list)

Step 3: Close your session and open a new one on the same PostgreSQL database. Create the extension.

CREATE EXTENSION anon;
SELECT anon.init();

All new connections to the given database can now use the extension.

Install with Docker

If you can't (or don't want to) install the PostgreSQL Anonymizer extension directly inside your instance, then you can use the docker image :

docker pull registry.gitlab.com/dalibo/postgresql_anonymizer:stable

The image is available with 2 two tags:

  • latest (default) contains the current developments
  • stable is the based on the previous release

You can run the docker image like the regular postgres docker image.

For example:

Launch a postgres docker container

docker run -d -e POSTGRES_PASSWORD=x -p 6543:5432 registry.gitlab.com/dalibo/postgresql_anonymizer

then connect:

export PGPASSWORD=x
psql --host=localhost --port=6543 --user=postgres

The extension is already created and initialized, you can use it directly:

# SELECT anon.partial_email('daamien@gmail.com');
     partial_email
-----------------------
 da******@gm******.com
(1 row)

Note: The docker image is based on the latest PostgreSQL version and we do not plan to provide a docker image for each version of PostgreSQL. However you can build your own image based on the version you need like this:

DOCKER_PG_MAJOR_VERSION=16 make docker_image

Install as a "Black Box"

see Anonymous Dumps

Install on MacOS

WE DO NOT PROVIDE COMMUNITY SUPPORT FOR THIS EXTENSION ON MACOS SYSTEMS.

However it should be possible to build the extension if you install the PGRX Mac OS system requirements and then follow the regular install from source procedure.

Install on Windows

PostgreSQL Anonymizer is built upon the [PGRX] framework and currently [PGRX] does not support compiling PostgreSQL extensions for Windows.

This is means that there's no native build of PostgreSQL Anonymizer for Windows.

However is it possible to run PostgreSQL inside a WSL2 container, which is basically an Ubuntu subsystem running on Windows.

You can then install PostgreSQL Anonymizer inside the WSL2 container like you would on a regular Ubuntu server.

Please read the Windows documentation for more details:

Install in the cloud

This extension must be installed with superuser privileges, which is something that most Database As A Service platforms (DBaaS), such as Amazon RDS or Microsoft Azure SQL, do not allow. They must add the extension to their catalog in order for you to use it.

At the time we are writing this (Feb. 2025), the following platforms provide PostgreSQL Anonymizer:

Please refer to their own documentation on how to activate the extension as they might have a platform-specific install procedure.

If your favorite DBaaS provider is not present in the list above, there is not much we can do about it... Although we have open discussions with some major actors in this domain, we DO NOT have internal knowledge on whether or not they will support it in the near future. If privacy and anonymity are a concern to you, we encourage you to contact the customer service of these platforms and ask them directly if they plan to add this extension to their catalog.

Addendum: Alternative way to load the extension

It is recommended to load the extension like this:

ALTER DATABASE foo SET session_preload_libraries='anon'

It has several benefits:

  • First, it will be dumped by pg_dump with the-C option, so the database dump will be self efficient.

  • Second, it is propagated to a standby instance by streaming replication. Which means you can use the anonymization functions on a read-only clone of the database (provided the extension is installed on the standby instance)

However, you can load the extension globally in the instance using the shared_preload_libraries parameter :

ALTER SYSTEM SET shared_preload_libraries = 'anon'"

Then restart the PostgreSQL instance.

Addendum: Troubleshooting

If you are having difficulties, you may have missed a step during the installation processes. Here's a quick checklist to help you:

Check that the extension is present

First, let's see if the extension was correctly deployed:

ls $(pg_config --sharedir)/extension/anon
ls $(pg_config --pkglibdir)/anon.so

If you get an error, the extension is probably not present on host server. Go back to step 1.

Check that the extension is loaded

Now connect to your database and look at the configuration with:

SHOW local_preload_libraries;
SHOW session_preload_libraries;
SHOW shared_preload_libraries;

If you don't see anon in any of these parameters, go back to step 2.

Check that the extension is created

Again connect to your database and type:

SELECT * FROM pg_extension WHERE extname= 'anon';

If the result is empty, the extension is not declared in your database. Go back to step 3.

Check that the extension is initialized

Finally, look at the state of the extension:

SELECT anon.is_initialized();

If the result is not t, the extension data is not present. Go back to step 3.

Uninstall

Step 1: Remove all rules

SELECT anon.remove_masks_for_all_columns();
SELECT anon.remove_masks_for_all_roles();

Although this step is not mandatory, it is highly recommended.

In some situations ever, it may be useful to keep the masking rules inside the database schema even if the anon extension is removed ! Keep in mind that pg_dump and pg_restore both have an option --no-security-labels to exclude the masking rules when you want to import/export the database.

Step 2: Drop the extension

DROP EXTENSION anon;

Step 3: Unload the extension

ALTER DATABASE foo RESET session_preload_libraries;

Or modify shared_preload_libraries depending on how you loaded the extension...

Step 4: Uninstall the extension

For Redhat / Rocky:

sudo yum remove postgresql_anonymizer_17

Replace 17 by the version of your postgresql instance.

Compatibility Guide

PostgreSQL Anonymizer is designed to work on the most current setups. As we are trying to find the right balance between innovation and backward compatibility, we define a comprehensive list of platforms and software that we officially support for each version.

Version Released EOL Postgres OS
2.0 dec. 2024 dec. 2025 13 to 17 RHEL 8 & 9, Debian 11 & 12, Ubuntu 24.04
1.3 mar. 2024 dec. 2024 12 to 16 RHEL 8 & 9
1.2 jan. 2024 mar. 2024 12 to 16 RHEL 8 & 9
1.1 sept. 2022 jan. 2024 11 to 15 RHEL 7 & 8

The extension may work on other distributions than the ones above, however provide packages only for these versions and we do not guarantee free community support for other OS.

If you need support on other platforms, we may offer commercial support for it. Please contact our commercial team at contact@dalibo.com for more details.