Skip to content

Commit

Permalink
Merge pull request #6227 from EnterpriseDB/docs/edits_to_ted_pr6130
Browse files Browse the repository at this point in the history
Edits to TDE refresh pr6130
  • Loading branch information
gvasquezvargas authored Nov 22, 2024
2 parents fad07c5 + 981cb4f commit 16e492f
Show file tree
Hide file tree
Showing 18 changed files with 129 additions and 132 deletions.
54 changes: 27 additions & 27 deletions product_docs/docs/postgres_distributed_for_kubernetes/1/tde.mdx
Original file line number Diff line number Diff line change
@@ -1,45 +1,45 @@
---
title: 'Transparent Data Encryption (TDE)'
title: 'Transparent data encryption (TDE)'
originalFilePath: 'src/tde.md'
---

!!! Important
TDE is available *only* for operands that support it:
EPAS versions 15 and newer, Postgres Extended versions 15 and newer.
EDB Postgres Advanced Server versions 15 and newer and EDB Postgres Extended versions 15 and newer.

Transparent Data Encryption, or TDE, is a technology used by several database
vendors to **encrypt data at rest**, i.e. database files on disk.
TDE does not however encrypt data in use.
Transparent data encryption, or TDE, is a technology used by several database
vendors to encrypt data at rest, that is, database files on disk.
However, TDE doesn't encrypt data in use.

TDE is included in EDB Postgres Advanced Server (EPAS) or EDB Postgres
Extended, starting with version 15, and it is supported by EDB Postgres
TDE is included in EDB Postgres Advanced Server or EDB Postgres
Extended, starting with version 15, and is supported by EDB Postgres
Distributed for Kubernetes.

!!! Important
Before you proceed, please take some time to familiarize with the
[TDE feature in the EPAS documentation](https://www.enterprisedb.com/docs/tde/latest/).
Before you proceed, take some time to familiarize with the
[TDE feature in the EDB Postgres Advanced Server documentation](/tde/latest/).

With TDE activated, both WAL files and files for tables will be encrypted.
Data encryption/decryption is entirely transparent to the user, as it is
With TDE activated, both WAL files and files for tables are encrypted.
Data encryption/decryption is entirely transparent to the user, as it's
managed by the database without requiring any application changes or updated
client drivers.

The support for TDE on EDB Postgres Distributed for Kubernetes relies on the
implementation from EDB Postgres for Kubernetes (PG4K). Please refer to
[the PG4K documentation](https://www.enterprisedb.com/docs/postgres_for_kubernetes/latest/tde/)
implementation from EDB Postgres for Kubernetes (PG4K). See
[the PG4K documentation](/postgres_for_kubernetes/latest/tde/)
for the full context.

We show now how to use TDE with a passphrase stored in a Kubernetes Secret,
which will be used to encrypt the EPAS binary key.
You can use TDE with a passphrase stored in a Kubernetes secret,
which is used to encrypt the EDB Postgres Advanced Server binary key.

!!! Seealso "EPAS documentation"
Please refer to [the EPAS documentation](https://www.enterprisedb.com/docs/tde/latest/secure_key/)
for details on the EPAS encryption key.
!!! Seealso "EDB Postgres Advanced Server documentation"
See [the EDB Posgres Advanced Server documentation](/tde/latest/secure_key/)
for details on the this encryption key.

TDE on EDB Postgres Distributed for Kubernetes relies on the PG4K
implementation.
To activate TDE on a cluster, we use the `epas` section of the manifest,
which is within the `cnp` section used for PG4K-level directives such as
Activating TDE on a cluster uses the `epas` section of the manifest,
which is in the `cnp` section used for PG4K-level directives such as
storage.
Use the `tde` stanza to enable TDE, and set the name of the Kubernetes secret
holding the TDE encryption key.
Expand Down Expand Up @@ -75,27 +75,27 @@ spec:
size: 1Gi
```
Again, please refer to [the PG4K documentation](https://www.enterprisedb.com/docs/postgres_for_kubernetes/latest/tde/)
Again, see [the PG4K documentation](/postgres_for_kubernetes/latest/tde/)
for additional depth, including how to create the encryption secret and
additional ways of using TDE.
As shown in the [TDE feature documentation](https://www.enterprisedb.com/docs/tde/latest/),
the information will be encrypted at rest.
As shown in the [TDE feature documentation](/tde/latest/),
the information is encrypted at rest.
For example, open a `psql` terminal into one of your data nodes.
For example, open a psql terminal into one of your data nodes.
```sh
kubectl exec -ti <DATA-NODE> -- psql app
```

and create a new table including a text column.
Create a new table including a text column:

```sql
create table foo(bar int, baz varchar);
insert into foo(bar, baz) values (1, 'hello'), (2, 'goodbye');
```

And then verify the location where the newly defined table is stored on disk:
Verify the location where the newly defined table is stored on disk:

```sql
select pg_relation_filepath('foo');
Expand All @@ -110,7 +110,7 @@ You can open a terminal on the same data node:
kubectl exec -ti <DATA-NODE> -- bash
```

and verify the file has been encrypted.
There, you can verify the file was encrypted:

```sh
cd $PGDATA/base/16385
Expand Down
4 changes: 2 additions & 2 deletions product_docs/docs/tde/15/about/index.mdx
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
---
title: About TDE
description: Learn about TDE, how it works, what it encrypts and why to use it.
description: Learn about TDE, how it works, what it encrypts, and why to use it.
indexCards: simple
---

Transparent data encryption (TDE) is an optional feature supported by EDB Postgres Advanced Server and EDB Postgres Extended Server from version 15.
Transparent data encryption (TDE) is an optional feature supported by EDB Postgres Advanced Server and EDB Postgres Extended Server in version 15 and later.

It encrypts user data stored in the database system.
8 changes: 4 additions & 4 deletions product_docs/docs/tde/15/about/what.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,9 @@ description: Which data is encrypted when databases are initialized with TDE?

TDE encrypts:

- The files underlying tables, sequences, indexes, including TOAST tables and system catalogs, and including all forks. These files are known as *data files*.
- The files underlying tables, sequences, and indexes, including TOAST tables and system catalogs and all forks. These files are known as *data files*.

- The write-ahead log (WAL).
- The write-ahead log (WAL).

- Various temporary files that are used during query processing and database system operation.

Expand All @@ -17,14 +17,14 @@ TDE encrypts:

- A physical replica is necessarily encrypted (or not encrypted) in the same way and using the same keys as its primary server.

- If a server uses TDE, a base backup is automatically encrypted.
- If a server uses TDE, a base backup is encrypted.


The following aren't encrypted or otherwise disguised by TDE:

- Metadata internal to operating the database system that doesn't contain user data, such as the transaction status (for example, pg_subtrans and pg_xact).

- The file names and file system structure in the data directory. That means that the overall size of the database system, the number of databases, the number of tables, their relative sizes, as well as file system metadata such as last access time are all visible without decryption.
- The file names and file system structure in the data directory. That means that the overall size of the database system, the number of databases, the number of tables, their relative sizes, as well as file system metadata, such as last access time, are all visible without decryption.

- Data in foreign tables.

Expand Down
14 changes: 7 additions & 7 deletions product_docs/docs/tde/15/about/why.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -5,18 +5,18 @@ description: Learn about some of the use cases for TDE encryption.

TDE encryption ensures that user data remains protected from unauthorized access.

When configured with a [data encryption key securing mechanism](../secure_key/), data stored on the database server and in backup is only accessible by users and processes with decryption keys.
When configured with a [data encryption key securing mechanism](../secure_key/), data stored on the database server and in backup is accessible only by users and processes with decryption keys.

Some use cases include:
Some use cases include:

- **Protection of sensitive personal data:** Industries like finance, e-commerce, healthcare, and government organizations often deal with personally identifiable information that must be protected to comply with data privacy regulations such as GDPR, HIPPA, PCI DSS.
- **Protection of sensitive personal data.** Industries like finance, e-commerce, healthcare, and government organizations often deal with personally identifiable information that must be protected to comply with data privacy regulations such as GDPR, HIPAA, and PCI DSS.

- **Compliance with government standards:** Government institutions must comply with information processing standards like FIPS to ensure computer security and interoperability.
- **Compliance with government standards.** Government institutions must comply with information processing standards like FIPS to ensure computer security and interoperability.

- **Protection of transactional data:** Financial institutions deal with transaction, account, and payment data that must be protected to prevent fraud and financial losses.
- **Protecting transactional data.** Financial institutions deal with transaction, account, and payment data that must be protected to prevent fraud and financial losses.

- **Protection of intellectual property:** Organizations safeguard proprietary information, designs, and plans to keep their competitive advantage, support brand value, and foster innovation.
- **Protecting intellectual property.** Organizations safeguard proprietary information, designs, and plans to keep their competitive advantage, support brand value, and foster innovation.

- **Protection of data in cloud-based deployments and public web applications:** Encrypting a database's data provides an additional layer of security when infrastructure is shared, or when vulnerabilities could potentially infiltrate in an application's API.
- **Protecting data in cloud-based deployments and public web applications.** Encrypting a database's data provides an added layer of security when infrastructure is shared or when vulnerabilities could potentially infiltrate in an application's API.

When your data is encrypted, it becomes unintelligible if it's stolen or misplaced.
2 changes: 1 addition & 1 deletion product_docs/docs/tde/15/affected_commands.mdx
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
title: "Commands affected by TDE"
description: Some commands work differently when TDE is enabled. Learn about differences.
description: How TDE changes the behavior of some commands when enabled.
---

When TDE is enabled, the following commands have TDE-specific options or read TDE settings in environment variables or configuration files:
Expand Down
19 changes: 9 additions & 10 deletions product_docs/docs/tde/15/enabling/enabling_tde.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -12,21 +12,20 @@ Create a new EDB Postgres Advanced Server cluster with TDE enabled.

## Worked example

This example uses EDB Postgres Advanced Server 15 running on a Linux platform. It uses openssl to define the passphrase to wrap and unwrap the generated data encryption key.
This example uses EDB Postgres Advanced Server 15 running on a Linux platform. It uses OpenSSL to define the passphrase to wrap and unwrap the generated data encryption key.

1. Set the data encryption key (wrap) and decryption (unwrap) environment variables:

```shell
export PGDATAKEYWRAPCMD='openssl enc -e -aes-128-cbc -pass pass:ok -out %p'
export PGDATAKEYUNWRAPCMD='openssl enc -d -aes-128-cbc -pass pass:ok -in %p'
export PGDATAKEYWRAPCMD='openssl enc -e -aes-128-cbc -pass pass:<password> -out %p'
export PGDATAKEYUNWRAPCMD='openssl enc -d -aes-128-cbc -pass pass:<password> -in %p'
```

!!!note
- If you are on Windows you don't need the single quotes around the variable value.

- Ensure you replace `ok` with the passphrase you want to use to wrap the data encryption key.
- If you're on Windows, you don't need the single quotes around the variable value.
!!!

1. Initialize the cluster using `initdb` with encryption enabled. This command sets the `data_encryption_key_unwrap_command` parameter in the postgresql.conf file.
1. Initialize the cluster using `initdb` with encryption enabled. This command sets the `data_encryption_key_unwrap_command` parameter in the `postgresql.conf` file.

```shell
/usr/edb/as15/bin/initdb --data-encryption -D /var/lib/edb/as15/data
Expand All @@ -38,12 +37,12 @@ This example uses EDB Postgres Advanced Server 15 running on a Linux platform. I
/usr/edb/as15/bin/pg_ctl -D /var/lib/edb/as15/data start
```

1. Run grep on postgresql.conf to verify the setting of `data_encryption_key_unwrap_command`:
1. Run grep on `postgresql.conf` to verify the setting of `data_encryption_key_unwrap_command`:

```shell
grep data_encryption_key_unwrap_command /var/lib/edb/as15/data/postgresql.conf
__OUTPUT__
data_encryption_key_unwrap_command = 'openssl enc -d -aes-128-cbc -pass pass:ok -in %p'
data_encryption_key_unwrap_command = 'openssl enc -d -aes-128-cbc -pass pass:<password> -in %p'
```

1. [Verify that data encryption is enabled](verifying_tde).
1. [Verify that data encryption is enabled](verifying_tde).
40 changes: 20 additions & 20 deletions product_docs/docs/tde/15/enabling/enabling_tde_epas.mdx
Original file line number Diff line number Diff line change
@@ -1,36 +1,36 @@
---
title: "Enabling TDE on an existing EDB Postgres Advanced Server"
description: Migrate your existing EDB Postgres Advanced Server to a new TDE-enabled database server.
title: "Enabling TDE on an existing EDB Postgres Advanced Server cluster"
description: Migrate your existing EDB Postgres Advanced Server cluster to a new TDE-enabled database server.
deepToC: true
redirects:
- /tde/latest/enabling_tde_epas/ #generated for TDE/refresh
---

Create a new EDB Postgres Advanced Server cluster with TDE enabled
and use `pg_upgrade` to transfer data from the existing source cluster to the new encrypted cluster.
Create an EDB Postgres Advanced Server cluster with TDE enabled
and use pg_upgrade to transfer data from the existing source cluster to the new encrypted cluster.

- [Prepare your upgrade](#preparing-your-upgrade) by performing a backup of the existing instance.
- [Create a new database server](#creating-an-encrypted-server)
- Create an empty directory for the new server and ensure `enterprisedb` owns it.
- [Create a new database server](#creating-an-encrypted-server):
- Create an empty directory for the new server and ensure enterprisedb owns it.
- Set the environment variables to export the `wrap` and `unwrap` commands for encryption.
- Initialize a server with encryption enabled.
- Change the default port, so the new server is available at another port.
- Change the default port so the new server is available at another port.
- Start the database server.
- Connect to the database server and ensure it is functioning.
- [Upgrade to the encrypted server](#upgrading-to-the-encrypted-server)
- Connect to the database server and ensure it's functioning.
- [Upgrade to the encrypted server](#upgrading-to-the-encrypted-server):
- Stop both the source and the new server.
- Use `pg_upgrade` with `--copy-by-block` option to copy data from the source server to the new server. Specify the source and target bin and data directories.
- Start the new encrypted databaser server.
- Connect to the encrypted database server and ensure the data was transfered.
- [Clean up and delete the source server](#cleaning-up-after-upgrade)
- Use pg_upgrade with the `--copy-by-block` option to copy data from the source server to the new server. Specify the source and target bin and data directories.
- Start the new encrypted database server.
- Connect to the encrypted database server and ensure the data was transferred.
- [Clean up and delete the source server](#cleaning-up-after-upgrade):
- Clean up the database and its statistics.
- Remove the source EDB Postgres Advanced Server cluster with the script provided by `pg_upgrade`.
- Remove the source EDB Postgres Advanced Server cluster with the script provided by pg_upgrade.

## Worked example

This example enables Transparent Data Encryption on an EDB Postgres Advanced Server version 16 running on an Ubuntu 22.04 machine.
This example enables TDE on EDB Postgres Advanced Server version 16 running on an Ubuntu 22.04 machine.

A similar workflow applies to other versions of EDB Postgres Advanced Server and EDB Postgres Extended Server. Note that the location of the BIN and CONFIG directories differs depending on your operating system and the Postgres version.
A similar workflow applies to other versions of EDB Postgres Advanced Server and EDB Postgres Extended Server. The location of the bin and config directories differs depending on your operating system and the Postgres version.

### Preparing your upgrade

Expand All @@ -44,7 +44,7 @@ Use [pg_dumpall](https://www.postgresql.org/docs/current/app-pg-dumpall.html), [
mkdir /var/lib/edb-as/16/TDE
```

1. Ensure the `enterprisedb` user owns the directory:
1. Ensure the enterprisedb user owns the directory:

```
sudo chown enterprisedb /var/lib/edb-as/16/TDE
Expand All @@ -69,7 +69,7 @@ Use [pg_dumpall](https://www.postgresql.org/docs/current/app-pg-dumpall.html), [
/usr/lib/edb-as/16/bin/initdb --data-encryption -D /var/lib/edb-as/16/TDE
```

This command initializes a CONFIG directory with all configuration files for the encrypted server.
This command initializes a config directory with all configuration files for the encrypted server.

1. Modify the port number in the configuration file of the encrypted instance. Uncomment the line with `#port` and change the port number. For example:

Expand Down Expand Up @@ -148,15 +148,15 @@ Use [pg_dumpall](https://www.postgresql.org/docs/current/app-pg-dumpall.html), [

### Cleaning up after upgrade

After you verify that `pg_upgrade` encrypted the data successfully, perform a cleanup.
After you verify that pg_upgrade encrypted the data successfully, perform a cleanup.

1. Clean up the database and its statistics:

```
/usr/lib/edb-as/16/bin/vacuumdb --all --analyze-in-stages
```

1. Remove all data files of the unencrypted server with the script generated by `pg_upgrade`:
1. Remove all data files of the unencrypted server with the script generated by pg_upgrade:

```
./delete_old_cluster.sh
Expand Down
2 changes: 1 addition & 1 deletion product_docs/docs/tde/15/enabling/index.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@ navigation:

Create a TDE-enabled database server using `initdb`.

Or migrate an existing database instance by creating a TDE-enabled database server with `initdb` and then migrating data with `pg_upgrade`.
Or migrate an existing database instance by creating a TDE-enabled database server with `initdb` and then migrating data with pg_upgrade.
Loading

0 comments on commit 16e492f

Please sign in to comment.