PostgreSQL is an open-source relational database management system known for reliability, data integrity, and a rich feature set. It handles everything from single-machine applications to data warehouses and web services with many concurrent users. PostgreSQL 17 brings significant performance improvements including a redesigned vacuum memory structure that uses up to 20x less memory, up to 2x faster write throughput for high-concurrency workloads, new SQL/JSON support with JSON_TABLE, and incremental backup support via pg_basebackup. See the official PostgreSQL 17 release announcement for the full changelog.
This guide covers installing PostgreSQL 17 on Debian 13 (Trixie) from the official PostgreSQL Global Development Group (PGDG) repository. We will walk through repository setup, installation, database initialization, creating users and databases, configuring remote access through pg_hba.conf, and setting up UFW firewall rules.
Prerequisites
- A server or VM running Debian 13 (Trixie)
- Root or sudo access
- Internet connectivity to download packages
- Port 5432/TCP open if remote database access is needed
Step 1: Update System Packages
Start by updating all system packages to the latest versions.
sudo apt update && sudo apt upgrade -yReboot if a kernel update was applied.
[ -f /var/run/reboot-required ] && sudo reboot -fStep 2: Add the PGDG Repository
The default Debian 13 repositories may not carry the latest PostgreSQL 17 packages. The PGDG (PostgreSQL Global Development Group) APT repository provides up-to-date builds for all supported PostgreSQL versions. If you also work with PostgreSQL 17 on Ubuntu, the same PGDG repository approach applies.
Install the required dependencies for adding the repository.
sudo apt install -y curl ca-certificates gnupgImport the PGDG repository signing key.
curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo gpg --dearmor -o /usr/share/keyrings/postgresql-archive-keyring.gpgAdd the PGDG repository to your sources list.
echo "deb [signed-by=/usr/share/keyrings/postgresql-archive-keyring.gpg] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | sudo tee /etc/apt/sources.list.d/pgdg.listUpdate the package index to pull in packages from the new repository.
sudo apt updateStep 3: Install PostgreSQL 17 on Debian 13
Install the PostgreSQL 17 server and client packages.
sudo apt install -y postgresql-17 postgresql-client-17The installation automatically initializes the database cluster, creates the postgres system user, and starts the service. Enable PostgreSQL to start on boot and verify the service is running.
sudo systemctl enable --now postgresqlCheck the service status.
$ systemctl status postgresql
● postgresql.service - PostgreSQL RDBMS
Loaded: loaded (/lib/systemd/system/postgresql.service; enabled; preset: enabled)
Active: active (exited) since Fri 2026-03-21 10:15:32 UTC; 1min ago
Main PID: 1245 (code=exited, status=0/SUCCESS)
CPU: 2msVerify the installed PostgreSQL version.
sudo -u postgres psql -c "SELECT version();"Expected output:
version
----------------------------------------------------------------------------------------------------------------------------
PostgreSQL 17.4 (Debian 17.4-1.pgdg130+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 14.2.0-8) 14.2.0, 64-bit
(1 row)Step 4: Initialize and Verify the Database Cluster
On Debian, the database cluster is automatically initialized during package installation under /var/lib/postgresql/17/main. You can confirm the cluster exists with the pg_lsclusters command.
$ pg_lsclusters
Ver Cluster Port Status Owner Data directory Log file
17 main 5432 online postgres /var/lib/postgresql/17/main /var/log/postgresql/postgresql-17-main.logIf you ever need to create a fresh cluster manually (for example, on a secondary data directory), use pg_createcluster.
sudo pg_createcluster 17 main --startOr use initdb directly as the postgres user.
sudo -u postgres /usr/lib/postgresql/17/bin/initdb -D /var/lib/postgresql/17/mainFor most installations, the automatic initialization is sufficient and no manual initdb is needed.
Step 5: Secure the PostgreSQL Instance
Set a strong password for the default postgres superuser account. Connect to the PostgreSQL shell first.
sudo -u postgres psqlSet the password.
postgres=# ALTER USER postgres PASSWORD 'StrongPasswordHere';
ALTER ROLEExit the shell.
\qStep 6: Create a Database and User
Switch to the postgres system user to run database administration commands.
sudo -i -u postgresCreate a new database user.
createuser appuserCreate a new database.
createdb appdb -O appuserConnect to the PostgreSQL shell and set a password for the new user.
psqlRun the following SQL commands.
postgres=# ALTER USER appuser PASSWORD 'SecureUserPassword';
ALTER ROLE
postgres=# GRANT ALL PRIVILEGES ON DATABASE appdb TO appuser;
GRANTExit the shell and switch back to your regular user.
\q
exitVerify the connection with the new user.
psql -U appuser -d appdb -h 127.0.0.1 -WYou will be prompted to enter the password. A successful connection confirms the user and database are working. For a graphical interface to manage your databases, consider installing pgAdmin 4 on Debian.
Step 7: Configure pg_hba.conf for Remote Access
By default, PostgreSQL only accepts connections from localhost. To allow remote clients to connect, two configuration files need to be updated.
First, edit the main PostgreSQL configuration file to listen on all network interfaces.
sudo vi /etc/postgresql/17/main/postgresql.confFind the listen_addresses directive in the CONNECTIONS AND AUTHENTICATION section and set it to listen on all interfaces.
#-----------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#-----------------------------------------------------------
# - Connection Settings -
listen_addresses = '*' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost'; use '*' for allNext, edit pg_hba.conf to define which remote hosts are allowed to connect and what authentication method to use.
sudo vi /etc/postgresql/17/main/pg_hba.confAdd the following lines at the end of the file. The first line allows connections from a specific subnet, and the second allows all remote hosts. Choose the one that matches your environment – restricting access to your network CIDR is recommended for production.
# Allow connections from a specific subnet (recommended)
host all all 192.168.1.0/24 scram-sha-256
# Or allow all remote connections (use with caution)
host all all 0.0.0.0/0 scram-sha-256PostgreSQL 17 defaults to scram-sha-256 authentication, which is more secure than the older md5 method. Use scram-sha-256 for all new setups. If you plan to set up PostgreSQL streaming replication, you will also need to add replication entries to pg_hba.conf.
Restart PostgreSQL to apply the configuration changes.
sudo systemctl restart postgresqlVerify PostgreSQL is listening on all interfaces.
$ ss -tlnp | grep 5432
LISTEN 0 244 0.0.0.0:5432 0.0.0.0:* users:(("postgres",pid=1345,fd=7))
LISTEN 0 244 [::]:5432 [::]:* users:(("postgres",pid=1345,fd=8))Step 8: Configure UFW Firewall for PostgreSQL
If UFW is active on your Debian 13 server, you need to allow incoming connections on port 5432/TCP. Install UFW if it is not already present.
sudo apt install -y ufwAllow SSH connections first to avoid locking yourself out, then allow PostgreSQL traffic.
sudo ufw allow ssh
sudo ufw allow 5432/tcpEnable UFW if it is not already active.
sudo ufw enableTo restrict PostgreSQL access to a specific subnet instead of all sources, use the following rule.
sudo ufw allow from 192.168.1.0/24 to any port 5432 proto tcpVerify the firewall rules are in place.
$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 5432/tcp ALLOW IN Anywhere
[ 3] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 4] 5432/tcp (v6) ALLOW IN Anywhere (v6)Step 9: Test Remote Connection to PostgreSQL
From a remote machine with the PostgreSQL client installed, test the connection using the user and database created earlier.
psql -h 192.168.1.50 -U appuser -d appdb -WReplace 192.168.1.50 with your PostgreSQL server’s IP address. You should get a successful connection prompt. You can also use the connection URI format.
psql "postgresql://appuser:[email protected]:5432/appdb?sslmode=prefer"A successful connection confirms that PostgreSQL, pg_hba.conf, and the firewall are all configured correctly. The same PostgreSQL 17 setup process works on RHEL 10, Rocky Linux 10, and AlmaLinux 10 with minor differences in package management. You can also run PostgreSQL in Podman containers with pgAdmin for development environments.
Conclusion
PostgreSQL 17 is now installed and running on Debian 13 with remote access configured through pg_hba.conf and UFW firewall rules in place. The PGDG repository ensures you receive timely security patches and minor version updates through standard apt upgrade workflows.
For production deployments, enable SSL/TLS for encrypted client connections, configure automated backups with pg_basebackup or pg_dump, set up monitoring with tools like pg_stat_statements, and consider PostgreSQL 17 documentation for performance tuning parameters specific to your workload.
