When you run some SQL commands that delete files, the corresponding disk space is returned to the operating system. Such commands include:

If the wipe_file_on_delete configuration parameter is switched on, the files to be deleted are first filled with zero bytes.

In accordance with the Multiversion Concurrency Control (MVCC) model, when rows are deleted (with the DELETE command) the data stored in these rows is marked as deleted, but is not physically removed. In the case of row updates (with the UPDATE command), the old version of the row is deleted, and then a new version is inserted, so the previous value is not removed from the page either.

To ensure that MVCC mechanism is working correctly, Postgres Pro keeps the deleted data in the page while the saved version of the row can be accessed by at least one active snapshot. If the row is referenced from indexes, index pages also keep references to the row versions that are deleted but not yet freed. When the row version is not referenced from any snapshot anymore, this version can be deleted with the VACUUM process. At the same time, all references to this row version are deleted from indexes. However, deleting does not mean physical removal: in normal operation, the corresponding space in the page is marked as free and can be used to store another row.

To prevent access to the deleted row versions, make sure that the wipe_heaptuple_on_delete parameter is switched on in the postgresql.conf configuration file. In this case, the VACUUM process not only marks the page spaces as free, but also fills them with zero bytes.

While the server is running, random-access memory (RAM) is constantly allocated and released. Postgres Pro uses its own context-based system of memory allocation, in which memory is always allocated in one of the nested contexts. Deleting a context frees all the memory allocated in this context and the corresponding nested contexts. This approach helps to avoid memory leaks. Nevertheless, memory allocation and release are ultimately performed by the operating system. In normal operation, the released part of RAM is returned to the operating system and can be allocated to another process.

To remove all the data from the released part of RAM, make sure that the following parameters are switched on in the postgresql.conf configuration file:

Write-Ahead Log (WAL) is a standard method for ensuring data integrity, which enables database backups, point-in-time recovery, and data replication between servers. WAL's central concept is that changes to data files (where tables and indexes reside) must be written only after those changes have been logged, that is, after log records describing the changes have been flushed to permanent storage. Thus, WAL can contain sensitive data that must be secured.

Postgres Pro server always stores a certain number of WAL segments in the $PGDATA/pg_wal directory. The minimum amount of WAL segments to store is defined by the min_wal_size parameter. In case of heavy load, the size of WAL segments can increase up to the max_wal_size value, or even exceed this value a little. As long as WAL disk usage stays above the min_wal_size threshold, old WAL segment files are deleted when they are released. Otherwise, WAL segments get overwritten.

To prevent unauthorized access to the released WAL segments, make sure that the wipe_xlog_on_free parameter is switched on in the postgresql.conf configuration file. In this case, the WAL segment will be filled with zero bytes before it is deleted or overwritten.

For details on WAL configuration and usage, see Chapter 28.