initial commit, fixes to code presentation
- Updates to kmip with fixes to how we present code (website looks
better now!)
- Updates set-principal-key with similar fixes
- Updated keyring.md with similar fixes
And updated functions for two parameters with updates from 1506
This setup is intended for development and stores the keys unencrypted in the specified data file. See [how to use external reference to parameters](../how-to/external-parameters.md) to add an extra security layer to your setup.
!!! note
While keyfiles may be acceptable for **local** or **testing environments**, KMS integration is the recommended approach for production deployments.
```sql
SELECT pg_tde_add_global_key_provider_file(
'provider-name',
'/path/to/the/keyring/data.file'
);
SELECT pg_tde_add_global_key_provider_file(
'provider-name',
'/path/to/the/keyring/data.file'
);
```
The following example is used for testing purposes only:
To use a Key Management Interoperability Protocol (KMIP) server with `pg_tde`, you must configure it as a global key provider. This setup enables `pg_tde` to securely fetch and manage encryption keys from a centralized key management appliance.
!!! note
You need the root certificate of the KMIP server and a client key/certificate pair with permissions to create and read keys on the server.
It is recommended to review the [configuration guidelines for the HashiCorp Vault Enterprise KMIP Secrets Engine](https://developer.hashicorp.com/vault/tutorials/enterprise/kmip-engine) if you're using Vault.
@ -12,16 +11,16 @@ For testing purposes, you can use a lightweight PyKMIP server, which enables eas
## Example usage
```sql
SELECT pg_tde_add_global_key_provider_kmip(
'provider-name',
'kmip-IP',
5696,
'/path_to/server_certificate.pem',
'/path_to/client_cert.pem',
'/path_to/client_key.pem'
);
```
```sql
SELECT pg_tde_add_global_key_provider_kmip(
'provider-name',
'kmip-IP',
5696,
'/path_to/server_certificate.pem',
'/path_to/client_cert.pem',
'/path_to/client_key.pem'
);
```
## Parameter descriptions
@ -36,15 +35,15 @@ For testing purposes, you can use a lightweight PyKMIP server, which enables eas
The following example is for testing purposes only.
```sql
SELECT pg_tde_add_global_key_provider_kmip(
'kmip','127.0.0.1',
5696,
'/tmp/server_certificate.pem',
'/tmp/client_cert_jane_doe.pem',
'/tmp/client_key_jane_doe.pem'
);
```
```sql
SELECT pg_tde_add_global_key_provider_kmip(
'kmip','127.0.0.1',
5696,
'/tmp/server_certificate.pem',
'/tmp/client_cert_jane_doe.pem',
'/tmp/client_key_jane_doe.pem'
);
```
For more information on related functions, see the link below:
You can configure `pg_tde` to use HashiCorp Vault as a global key provider for managing encryption keys securely.
!!! note
This guide assumes that your Vault server is already set up and accessible. Vault configuration is outside the scope of this document, see [Vault's official documentation](https://developer.hashicorp.com/vault/docs) for more information.
## Example usage
```sql
SELECT pg_tde_add_global_key_provider_vault_v2(
'provider-name',
'secret_token',
'url',
'mount',
'ca_path'
);
SELECT pg_tde_add_global_key_provider_vault_v2(
'provider-name',
'secret_token',
'url',
'mount',
'ca_path'
);
```
## Parameter descriptions
@ -29,13 +28,13 @@ You can configure `pg_tde` to use HashiCorp Vault as a global key provider for m
The following example is for testing purposes only. Use secure tokens and proper SSL validation in production environments:
```sql
SELECT pg_tde_add_global_key_provider_vault_v2(
'my-vault',
'hvs.zPuyktykA...example...ewUEnIRVaKoBzs2',
'http://vault.vault.svc.cluster.local:8200',
'secret/data',
NULL
);
SELECT pg_tde_add_global_key_provider_vault_v2(
'my-vault',
'hvs.zPuyktykA...example...ewUEnIRVaKoBzs2',
'http://vault.vault.svc.cluster.local:8200',
'secret/data',
NULL
);
```
For more information on related functions, see the link below:
Dragos Andriciuc
4 months ago
committed by