Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Edits to TDE: tutorials to enable data wrapper and provide passphrase… #6362

Merged
merged 1 commit into from
Dec 20, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions product_docs/docs/tde/15/enabling/enabling_key_wrapper.mdx
Original file line number Diff line number Diff line change
@@ -7,15 +7,15 @@ If you want to enable key wrapping on TDE-enabled database clusters where key wr

## Context

When you create a TDE-enabled database cluster, `initdb` generates a data encryption key and stores it in `pg_encryption/key.bin`. Since this file is stored in plaintext, TDE requires an additional mechanism to [secure the data encryption key](../secure_key/). You normally configure the protection of the key as you initialize your TDE-enabled database cluster.
When you create a TDE-enabled database cluster, initdb generates a data encryption key and stores it in `pg_encryption/key.bin`. Since this file is stored in plaintext, TDE requires an additional mechanism to [secure the data encryption key](../secure_key/). You normally configure the protection of the key as you initialize your TDE-enabled database cluster.

However, you can chose to [disable key wrapping](../secure_key/disabling_key) for your data encryption key. Although this setup is not recommended, you might have chosen to leave your key unprotected to facilitate managing the cluster for testing or demo purposes.
However, you can choose to [disable key wrapping](../secure_key/disabling_key) for your data encryption key. Although we don't recommend this setup, you might have left your key unprotected to facilitate managing the cluster for testing or demo purposes.

If you disabled key wrapping, but later decide to enable a mechanism that secures your encryption key, you can enable it at a later time, by updating the encryption settings in the `postgresql.conf` file.
If you disabled key wrapping but later decide to enable a mechanism that secures your encryption key, you can enable it later by updating the encryption settings in the `postgresql.conf` file.

## Enable key wrapping with a passphrase

This example walks you through adding a passphrase-based protection mechanism or key wrapping to your data encryption key (`key.bin`).
This example shows you how to add a passphrase-based protection mechanism or key wrapping to your data encryption key (`key.bin`).

1. Store the passphrase in a file accessible by initdb named `pass.bin`:

6 changes: 3 additions & 3 deletions product_docs/docs/tde/15/secure_key/passphrase.mdx
Original file line number Diff line number Diff line change
@@ -44,12 +44,12 @@ You also need an entry like in `/etc/sudoers`:
postgres ALL = NOPASSWD: /usr/bin/systemd-ask-password
```

## Providing the passphrase through a file
## Providing the passphrase using a file

Another way to simplify operations is to store the passphrase in plaintext, so you can reference the file containing the passphrase when securing the data encryption files.
Another way to simplify operations is to store the passphrase in plaintext so you can reference the file containing the passphrase when securing the data encryption files.

!!!important
You should only use this method for testing or demonstration purposes. Don't store your passphrase in a plaintext file for production environments.
Use this method only for testing or demonstration purposes. Don't store your passphrase in a plaintext file in a production environment.
!!!

1. Store the passphrase in a file accessible by initdb named `pass.bin`: