diff --git a/product_docs/docs/tde/15/key_stores.mdx b/product_docs/docs/tde/15/key_stores.mdx index 07ecf11c202..3e9ab249215 100644 --- a/product_docs/docs/tde/15/key_stores.mdx +++ b/product_docs/docs/tde/15/key_stores.mdx @@ -1,5 +1,7 @@ --- title: Securing the data encryption key +description: Learn how to secure your data with an encryption key. +deepToC: true --- @@ -61,16 +63,17 @@ postgres ALL = NOPASSWD: /usr/bin/systemd-ask-password You can use the key store in an external key management system to manage the data encryption key. The tested and supported key stores are: - Amazon AWS Key Management Service (KMS) +- Microsoft Azure Key Vault - Google Cloud - Cloud Key Management Service - HashiCorp Vault (KMIP Secrets Engine and Transit Secrets Engine) -- Microsoft Azure Key Vault - Thales CipherTrust Manager +- Fortanix Data Security Manager - +To use one of the available key stores, see the configuration examples. ### AWS Key Management Service example -Create a key with AWS Key Management Service: +Create a key with [AWS Key Management Service](https://docs.aws.amazon.com/kms/): ```shell aws kms create-key @@ -88,7 +91,7 @@ PGDATAKEYUNWRAPCMD='aws kms decrypt --key-id alias/pg-tde-master-1 --ciphertext- ### Azure Key Vault example -Create a key with Azure Key Vault: +Create a key with [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/): ```shell az keyvault key create --vault-name pg-tde --name pg-tde-master-1 @@ -105,7 +108,7 @@ PGDATAKEYUNWRAPCMD='az keyvault key decrypt --name pg-tde-master-1 --vault-name ### Google Cloud KMS example -Create a key with Google Cloud KMS: +Create a key with [Google Cloud KMS](https://cloud.google.com/kms/docs): ```shell gcloud kms keys create pg-tde-master-1 --location=global --keyring=pg-tde --purpose=encryption @@ -120,17 +123,29 @@ PGDATAKEYUNWRAPCMD='gcloud kms decrypt --plaintext-file=- --ciphertext-file=%p - ### HashiCorp Vault Transit Secrets Engine example +Enable transit with [HashiCorp Vault Transit Secrets Engine](https://developer.hashicorp.com/vault/docs): + ```shell -# enable once vault secrets enable transit +``` + +Create a key and give it a name: -# create a key (pick a name) +```shell vault write -f transit/keys/pg-tde-master-1 +``` + +Use the `vault write` command with the `pg-tde-master-1` key to wrap and unwrap the data encryption key: +``` PGDATAKEYWRAPCMD='base64 | vault write -field=ciphertext transit/encrypt/pg-tde-master-1 plaintext=- > %p' PGDATAKEYUNWRAPCMD='vault write -field=plaintext transit/decrypt/pg-tde-master-1 ciphertext=- < %p | base64 -d' ``` +### Fortanix Data Security Manager example + +See [Using Fortanix Data Security Manager with EDB Postgres for TDE](https://support.fortanix.com/docs/using-fortanix-data-security-manager-with-edb-postgres-for-tde) for a step-by-step configuration tutorial. + ## Key rotation To change the master key, manually run the unwrap command specifying the old key. Then feed the result into the wrap command specifying the new key. Equivalently, if the data key is protected by a passphrase, to change the passphrase, run the unwrap command using the old passphrase. Then feed the result into the wrap command using the new passphrase. You can perform these operations while the database server is running. The wrapped data key in the file is used only on startup. It isn't used while the server is running.