Merge pull request #6108 from EnterpriseDB/TDE/fortanix

TDE: Added Fortanix as available TDE key store
EnterpriseDB · Oct 1, 2024 · e67b6fa · e67b6fa · github-actions · Oct 1, 2024
2 parents 342b7f4 + 1c29a72
commit e67b6fa
Showing 1 changed file with 22 additions and 7 deletions.
diff --git a/product_docs/docs/tde/15/key_stores.mdx b/product_docs/docs/tde/15/key_stores.mdx
@@ -1,5 +1,7 @@
 ---
 title: Securing the data encryption key
+description: Learn how to secure your data with an encryption key.
+deepToC: true
 ---
 
 
@@ -61,16 +63,17 @@ postgres ALL = NOPASSWD: /usr/bin/systemd-ask-password
 You can use the key store in an external key management system to manage the data encryption key. The tested and supported key stores are:
 
 - Amazon AWS Key Management Service (KMS)
+- Microsoft Azure Key Vault
 - Google Cloud - Cloud Key Management Service
 - HashiCorp Vault (KMIP Secrets Engine and Transit Secrets Engine)
-- Microsoft Azure Key Vault
 - Thales CipherTrust Manager
+- Fortanix Data Security Manager
 
-
+To use one of the available key stores, see the configuration examples.
 
 ### AWS Key Management Service example
 
-Create a key with AWS Key Management Service:
+Create a key with [AWS Key Management Service](https://docs.aws.amazon.com/kms/):
 
 ```shell
 aws kms create-key
@@ -88,7 +91,7 @@ PGDATAKEYUNWRAPCMD='aws kms decrypt --key-id alias/pg-tde-master-1 --ciphertext-
 
 ### Azure Key Vault example
 
-Create a key with Azure Key Vault:
+Create a key with [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/):
 
 ```shell
 az keyvault key create --vault-name pg-tde --name pg-tde-master-1
@@ -105,7 +108,7 @@ PGDATAKEYUNWRAPCMD='az keyvault key decrypt --name pg-tde-master-1 --vault-name
 
 ### Google Cloud KMS example
 
-Create a key with Google Cloud KMS:
+Create a key with [Google Cloud KMS](https://cloud.google.com/kms/docs):
 
 ```shell
 gcloud kms keys create pg-tde-master-1 --location=global --keyring=pg-tde --purpose=encryption
@@ -120,17 +123,29 @@ PGDATAKEYUNWRAPCMD='gcloud kms decrypt --plaintext-file=- --ciphertext-file=%p -
 
 ### HashiCorp Vault Transit Secrets Engine example
 
+Enable transit with [HashiCorp Vault Transit Secrets Engine](https://developer.hashicorp.com/vault/docs):
+
 ```shell
-# enable once
 vault secrets enable transit
+```
+
+Create a key and give it a name:
 
-# create a key (pick a name)
+```shell
 vault write -f transit/keys/pg-tde-master-1
+```
+
+Use the `vault write` command with the `pg-tde-master-1` key to wrap and unwrap the data encryption key:
 
+```
 PGDATAKEYWRAPCMD='base64 | vault write -field=ciphertext transit/encrypt/pg-tde-master-1 plaintext=- > %p'
 PGDATAKEYUNWRAPCMD='vault write -field=plaintext transit/decrypt/pg-tde-master-1 ciphertext=- < %p | base64 -d'
 ```
 
+### Fortanix Data Security Manager example 
+
+See [Using Fortanix Data Security Manager with EDB Postgres for TDE](https://support.fortanix.com/docs/using-fortanix-data-security-manager-with-edb-postgres-for-tde) for a step-by-step configuration tutorial.
+
 ## Key rotation
 
 To change the master key, manually run the unwrap command specifying the old key. Then feed the result into the wrap command specifying the new key. Equivalently, if the data key is protected by a passphrase, to change the passphrase, run the unwrap command using the old passphrase. Then feed the result into the wrap command using the new passphrase. You can perform these operations while the database server is running. The wrapped data key in the file is used only on startup. It isn't used while the server is running.