From 5d16622fdb1d4bc217d43874d0622551e20d18cf Mon Sep 17 00:00:00 2001 From: Betsy Gitelman Date: Wed, 18 Dec 2024 12:59:05 -0500 Subject: [PATCH] Edits to TDE: tutorials to enable data wrapper and provide passphrase in file #6351 --- .../docs/tde/15/enabling/enabling_key_wrapper.mdx | 8 ++++---- product_docs/docs/tde/15/secure_key/passphrase.mdx | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/product_docs/docs/tde/15/enabling/enabling_key_wrapper.mdx b/product_docs/docs/tde/15/enabling/enabling_key_wrapper.mdx index aac3a7335db..27b021fda13 100644 --- a/product_docs/docs/tde/15/enabling/enabling_key_wrapper.mdx +++ b/product_docs/docs/tde/15/enabling/enabling_key_wrapper.mdx @@ -7,15 +7,15 @@ If you want to enable key wrapping on TDE-enabled database clusters where key wr ## Context -When you create a TDE-enabled database cluster, `initdb` generates a data encryption key and stores it in `pg_encryption/key.bin`. Since this file is stored in plaintext, TDE requires an additional mechanism to [secure the data encryption key](../secure_key/). You normally configure the protection of the key as you initialize your TDE-enabled database cluster. +When you create a TDE-enabled database cluster, initdb generates a data encryption key and stores it in `pg_encryption/key.bin`. Since this file is stored in plaintext, TDE requires an additional mechanism to [secure the data encryption key](../secure_key/). You normally configure the protection of the key as you initialize your TDE-enabled database cluster. -However, you can chose to [disable key wrapping](../secure_key/disabling_key) for your data encryption key. Although this setup is not recommended, you might have chosen to leave your key unprotected to facilitate managing the cluster for testing or demo purposes. +However, you can choose to [disable key wrapping](../secure_key/disabling_key) for your data encryption key. Although we don't recommend this setup, you might have left your key unprotected to facilitate managing the cluster for testing or demo purposes. -If you disabled key wrapping, but later decide to enable a mechanism that secures your encryption key, you can enable it at a later time, by updating the encryption settings in the `postgresql.conf` file. +If you disabled key wrapping but later decide to enable a mechanism that secures your encryption key, you can enable it later by updating the encryption settings in the `postgresql.conf` file. ## Enable key wrapping with a passphrase -This example walks you through adding a passphrase-based protection mechanism or key wrapping to your data encryption key (`key.bin`). +This example shows you how to add a passphrase-based protection mechanism or key wrapping to your data encryption key (`key.bin`). 1. Store the passphrase in a file accessible by initdb named `pass.bin`: diff --git a/product_docs/docs/tde/15/secure_key/passphrase.mdx b/product_docs/docs/tde/15/secure_key/passphrase.mdx index 6bc341a3f61..4f87a850016 100644 --- a/product_docs/docs/tde/15/secure_key/passphrase.mdx +++ b/product_docs/docs/tde/15/secure_key/passphrase.mdx @@ -44,12 +44,12 @@ You also need an entry like in `/etc/sudoers`: postgres ALL = NOPASSWD: /usr/bin/systemd-ask-password ``` -## Providing the passphrase through a file +## Providing the passphrase using a file -Another way to simplify operations is to store the passphrase in plaintext, so you can reference the file containing the passphrase when securing the data encryption files. +Another way to simplify operations is to store the passphrase in plaintext so you can reference the file containing the passphrase when securing the data encryption files. !!!important - You should only use this method for testing or demonstration purposes. Don't store your passphrase in a plaintext file for production environments. + Use this method only for testing or demonstration purposes. Don't store your passphrase in a plaintext file in a production environment. !!! 1. Store the passphrase in a file accessible by initdb named `pass.bin`: