open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
59922 Commits
38 Branches
662 Tags
732 MiB
Tag: Branch: Tree: 55663bbb29
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '55663bbb29'
${ noResults }
postgres/contrib/pg_tde/documentation/docs/functions.md

111 lines
3.7 KiB
Raw Normal View History Unescape

Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
# Functions
The `pg_tde` extension provides the following functions:
## pg_tde_add_key_provider_file
Creates a new key provider for the database using a local file.
This function is intended for development, and stores the keys unencrypted in the specified data file.
Removed code highlighting for better display in dar mode
10 months ago
```
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
SELECT pg_tde_add_key_provider_file('provider-name','/path/to/the/keyring/data.file');
```
Doc: Added install from packages instructions
1 year ago
All parameters can be either strings, or JSON objects [referencing remote parameters](external-parameters.md).
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
## pg_tde_add_key_provider_vault_v2
Creates a new key provider for the database using a remote HashiCorp Vault server.
The specified access parameters require permission to read and write keys at the location.
Removed code highlighting for better display in dar mode
10 months ago
```
PG-1241 Documented KMIP integration and setup (#368) PG-1241 Documented KMIP integration and setup modified: documentation/docs/_images/tde-flow.png modified: documentation/docs/setup.md modified: documentation/docs/tde.md
9 months ago
SELECT pg_tde_add_key_provider_vault_v2('provider-name','secret_token','url','mount','ca_path');
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
```
where:
* `url` is the URL of the Vault server
* `mount` is the mount point where the keyring should store the keys
* `secret_token` is an access token with read and write access to the above mount point
* [optional] `ca_path` is the path of the CA file used for SSL verification
Doc: Added install from packages instructions
1 year ago
All parameters can be either strings, or JSON objects [referencing remote parameters](external-parameters.md).
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
PG-1241 Documented KMIP integration and setup (#368) PG-1241 Documented KMIP integration and setup modified: documentation/docs/_images/tde-flow.png modified: documentation/docs/setup.md modified: documentation/docs/tde.md
9 months ago
## pg_tde_add_key_provider_kmip
Creates a new key provider for the database using a remote KMIP server.
The specified access parameters require permission to read and write keys at the server.
```
SELECT pg_tde_add_key_provider_kmip('provider-name','kmip-IP', 5696, '/path_to/server_certificate.pem', '/path_to/client_key.pem');
```
where:
* `provider-name` is the name of the provider. You can specify any name, it's for you to identify the provider.
* `kmip-IP` is the IP address of a domain name of the KMIP server
* The port to communicate with the KMIP server. The default port is `5696`.
* `server-certificate` is the path to the certificate file for the KMIP server.
* `client key` is the path to the client key.
Renamed master key to principal key (#228) This commit contains lots of changes, but it's just a repeated execution of find <...> -exec sed <...>, so everything should work as before.
1 year ago
## pg_tde_set_principal_key
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
Renamed master key to principal key (#228) This commit contains lots of changes, but it's just a repeated execution of find <...> -exec sed <...>, so everything should work as before.
1 year ago
Sets the principal key for the database using the specified key provider.
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
Renamed master key to principal key (#228) This commit contains lots of changes, but it's just a repeated execution of find <...> -exec sed <...>, so everything should work as before.
1 year ago
The principal key name is also used for constructing the name in the provider, for example on the remote Vault server.
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
WAL keyring improvements (#238) - Rename database key rotation functions to make room for the global space ones. - Now, during the first start, we would create a default temporary key provider for the global space. A user can (and should) create their own key provider afterwards. This allows use the same codepath and internal interfaces for the keyring management across databases and the global space. - Now need to cache the principal key for the global space as we use it only at the server start to decrypt internal key. Then internal key persists in the memory cache. Fixes https://perconadev.atlassian.net/browse/PG-835, https://perconadev.atlassian.net/browse/PG-833
1 year ago
You can use this function only to a principal key. For changes in the principal key, use the [`pg_tde_rotate_principal_key`](#pg_tde_rotate_principal_key) function.
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
Removed code highlighting for better display in dar mode
10 months ago
```
Renamed master key to principal key (#228) This commit contains lots of changes, but it's just a repeated execution of find <...> -exec sed <...>, so everything should work as before.
1 year ago
SELECT pg_tde_set_principal_key('name-of-the-principal-key', 'provider-name');
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
```
WAL keyring improvements (#238) - Rename database key rotation functions to make room for the global space ones. - Now, during the first start, we would create a default temporary key provider for the global space. A user can (and should) create their own key provider afterwards. This allows use the same codepath and internal interfaces for the keyring management across databases and the global space. - Now need to cache the principal key for the global space as we use it only at the server start to decrypt internal key. Then internal key persists in the memory cache. Fixes https://perconadev.atlassian.net/browse/PG-835, https://perconadev.atlassian.net/browse/PG-833
1 year ago
## pg_tde_rotate_principal_key
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
Renamed master key to principal key (#228) This commit contains lots of changes, but it's just a repeated execution of find <...> -exec sed <...>, so everything should work as before.
1 year ago
Creates a new version of the specified principal key and updates the database so that it uses the new principal key version.
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
Doc: Added install from packages instructions
1 year ago
When used without any parameters, the function will just create a new version of the current database
Renamed master key to principal key (#228) This commit contains lots of changes, but it's just a repeated execution of find <...> -exec sed <...>, so everything should work as before.
1 year ago
principal key, using the same provider:
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
Removed code highlighting for better display in dar mode
10 months ago
```
WAL keyring improvements (#238) - Rename database key rotation functions to make room for the global space ones. - Now, during the first start, we would create a default temporary key provider for the global space. A user can (and should) create their own key provider afterwards. This allows use the same codepath and internal interfaces for the keyring management across databases and the global space. - Now need to cache the principal key for the global space as we use it only at the server start to decrypt internal key. Then internal key persists in the memory cache. Fixes https://perconadev.atlassian.net/browse/PG-835, https://perconadev.atlassian.net/browse/PG-833
1 year ago
SELECT pg_tde_rotate_principal_key();
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
```
Doc: Added install from packages instructions
1 year ago
Alternatively, you can pass two parameters to the function, specifying both a new key name and a new provider name:
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
Removed code highlighting for better display in dar mode
10 months ago
```
WAL keyring improvements (#238) - Rename database key rotation functions to make room for the global space ones. - Now, during the first start, we would create a default temporary key provider for the global space. A user can (and should) create their own key provider afterwards. This allows use the same codepath and internal interfaces for the keyring management across databases and the global space. - Now need to cache the principal key for the global space as we use it only at the server start to decrypt internal key. Then internal key persists in the memory cache. Fixes https://perconadev.atlassian.net/browse/PG-835, https://perconadev.atlassian.net/browse/PG-833
1 year ago
SELECT pg_tde_rotate_principal_key('name-of-the-new-principal-key', 'name-of-the-new-provider');
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
```
Doc: Added install from packages instructions
1 year ago
Both parameters support the `NULL` value, which means that the parameter won't be changed:
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
Removed code highlighting for better display in dar mode
10 months ago
```
Renamed master key to principal key (#228) This commit contains lots of changes, but it's just a repeated execution of find <...> -exec sed <...>, so everything should work as before.
1 year ago
-- creates new principal key on the same provider as before
WAL keyring improvements (#238) - Rename database key rotation functions to make room for the global space ones. - Now, during the first start, we would create a default temporary key provider for the global space. A user can (and should) create their own key provider afterwards. This allows use the same codepath and internal interfaces for the keyring management across databases and the global space. - Now need to cache the principal key for the global space as we use it only at the server start to decrypt internal key. Then internal key persists in the memory cache. Fixes https://perconadev.atlassian.net/browse/PG-835, https://perconadev.atlassian.net/browse/PG-833
1 year ago
SELECT pg_tde_rotate_principal_key('name-of-the-new-principal-key', NULL);
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
Renamed master key to principal key (#228) This commit contains lots of changes, but it's just a repeated execution of find <...> -exec sed <...>, so everything should work as before.
1 year ago
-- copies the current principal key to a new provider
WAL keyring improvements (#238) - Rename database key rotation functions to make room for the global space ones. - Now, during the first start, we would create a default temporary key provider for the global space. A user can (and should) create their own key provider afterwards. This allows use the same codepath and internal interfaces for the keyring management across databases and the global space. - Now need to cache the principal key for the global space as we use it only at the server start to decrypt internal key. Then internal key persists in the memory cache. Fixes https://perconadev.atlassian.net/browse/PG-835, https://perconadev.atlassian.net/browse/PG-833
1 year ago
SELECT pg_tde_rotate_principal_key(NULL, 'name-of-the-new-provider');
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
```
PG-1013 Updated the functions document (#370) * PG-1013 Updated the functions document * Removed the pg_alter_keyring_provider --------- Co-authored-by: Artem Gavrilov <artem.gavrilov@percona.com>
9 months ago
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
## pg_tde_is_encrypted
PG-1380 Support checking if indexes and sequences are encrypted To support checking other relation types than tables we removed the check for the tde_heap access method and just do the following: relam == 'tde_heap_basic' || GetSMGRRelationKey() != NULL And to simplify the logic we merge pg_tde_is_encrypted() and pg_tde_internal_has_key(), which will be an even bigger win once the tde_heap_basic access method is removed since then we would only need to check if there is a SMGR key.
7 months ago
Tells if a relation is encrypted using the `pg_tde` extension or not.
PG-1013 Updated the functions document (#370) * PG-1013 Updated the functions document * Removed the pg_alter_keyring_provider --------- Co-authored-by: Artem Gavrilov <artem.gavrilov@percona.com>
9 months ago
fixup! PG-1380 Support checking if indexes and sequences are encrypted
7 months ago
To verify that a table is encrypted, run the following statement:
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
Removed code highlighting for better display in dar mode
10 months ago
```
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
SELECT pg_tde_is_encrypted('table_name');
```
PG-1380 Support checking if indexes and sequences are encrypted To support checking other relation types than tables we removed the check for the tde_heap access method and just do the following: relam == 'tde_heap_basic' || GetSMGRRelationKey() != NULL And to simplify the logic we merge pg_tde_is_encrypted() and pg_tde_internal_has_key(), which will be an even bigger win once the tde_heap_basic access method is removed since then we would only need to check if there is a SMGR key.
7 months ago
You can also verify if the table in a custom schema is encrypted. Pass the schema name for the function as follows:
Documentation update (#149) * Updating documentation with configuration changes * Minor updates to improve readability * Added link to test.md for setup doc * Added documentation about key rotation and remote parameters --------- Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
1 year ago
PG-1013 Updated the functions document (#370) * PG-1013 Updated the functions document * Removed the pg_alter_keyring_provider --------- Co-authored-by: Artem Gavrilov <artem.gavrilov@percona.com>
9 months ago
```
SELECT pg_tde_is_encrypted('schema.table_name');
```
PG-1380 Support checking if indexes and sequences are encrypted To support checking other relation types than tables we removed the check for the tde_heap access method and just do the following: relam == 'tde_heap_basic' || GetSMGRRelationKey() != NULL And to simplify the logic we merge pg_tde_is_encrypted() and pg_tde_internal_has_key(), which will be an even bigger win once the tde_heap_basic access method is removed since then we would only need to check if there is a SMGR key.
7 months ago
This can additoonally be used the verify that indexes and sequences are encrypted.